How to configure local two-factor authentication with U2F on Ubuntu 19.10

This guide covers how to secure a local Linux login using the U2F feature on YubiKeys and Security Keys. This does not work with remote logins via SSH or other methods. The commands in the guide are for an Ubuntu (or Ubuntu based) system, but the instructions can be adapted for any distribution of Linux.

Step 1: Installing the required software

1. If you haven’t already, Enable the Yubico PPA.

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update

2. Open Terminal.
3. Run:

sudo apt-get install libpam-u2f

Step 2: Associating the U2F key(s) with your account

1. Open Terminal.
2. Insert your U2F Key.
3. Run:

mkdir ~/.config/Yubico

If you receive an error that this folder exists, you can ignore it and proceed to the next step.
4. Run:

pamu2fcfg > ~/.config/Yubico/u2f_keys

5. When your device begins flashing, touch the metal contact to confirm the association.
If you have backup devices, use the steps below to associate them with your account. If you do not have a backup device available at this time, you can add one later using the steps below as long as you still have access to your account. Warning: Having a backup device is strongly recommended so that if your device is lost or broken, you will not be locked out of your computer.

1. Open Terminal.
2. Run:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

3. When your device begins flashing, touch the metal contact to confirm the association.
If you would like to add additional layer of security you can change the output of the u2f_keys file to an area of the OS where you’ll need sudo permission to edit the file ( e.g. /etc ). After creating a directory named yubico ( e.g. /etc/yubico ). You can then move the file from ~/.config/Yubico to /etc/yubico by running the command ( sudo mv ~/.config/Yubico/u2f_keys /etc/Yubico/u2f_keys ).

Once the u2f_keys file is moved to a safer location the PAM file will need to also be modified for this to function correctly. You will need to append the PAM file’s configuration to have ” authfile=/etc/yubikeys ” added to the end.

Warning: Please note that once you modify the /etc/pam.d/sudo file to require the YubiKey if you were to lose or misplace the YubiKey you will not be able to modify or change the file to remove the YubiKey requirement.

Step 3: Configuring the system to use the U2F keys

1. Open Terminal.
2. Run:

sudo nano /etc/pam.d/sudo

3. Add the line below after the “@include common-auth” line.

auth       required   pam_u2f.so

4. Press Ctrl+X and then Enter to save and close the file.
Congrats! If the password was accepted this time you have configured the system correctly and can continue on to the next section for requiring the U2F Key to login. Note: if you do not want to require the U2F Key to run the sudo command, remove the line you added to the /etc/pam.d/sudo file.

Step 4: Configuring the system to require the YubiKey for login

1. Open Terminal.
2. If your system is Ubuntu 17.10 or newer, run:

sudo nano /etc/pam.d/gdm-password

If your system is Ubuntu 17.04 or older, run:

sudo nano /etc/pam.d/lightdm

3. Add the line below after the “@include common-auth” line.

auth       required   pam_u2f.so

4. Press Ctrl+X and then Enter to save and close the file.
Success! You will no longer be able to log in to the computer without the U2F device.

Source: Ubuntu Linux Login Guide – U2F