Passwordless login with Yubikey 5 NFC

You're right to be worried about locking yourself out. If your home directory is encrypted and you keep a Two-Factor Authentication authorization mapping file there, you will not be able to log in! That's why I always use a central authfile (/etc/u2f_mappings).

I suggest creating a second account while testing so you don't lock yourself out of your main account. Also, be sure to get a second 2FA key and register it as a backup in case you lose the first one.

How to enable passwordless login

Although you should be careful, the process is easy and straightforward. To make it even easier, I've written this so you can simply cut and paste the following commands into a terminal:

  1. sudo apt install libpam-u2f

  2. pamu2fcfg | sudo tee /etc/u2f_mappings

    # (At this point, press the button. You should see a long string of numbers. If you don't, make sure you have udev setup correctly.)

  3. sudo -i

  4. cd /etc/pam.d

  5. echo 'auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue' > common-u2f

  6. for f in gdm-password lightdm sudo login; do

    mv $f $f~

    awk '/@include common-auth/ {print "@include common-u2f"}; {print}' $f~ > $f

    done

  7. exit

Notes

  • When logging in, you'll be prompted to touch your device if it is detected Otherwise, you'll be asked to type in a password.

  • We use the term "sufficient" above so that either the password or the U2F key are sufficient to login (as requested in the question). For a more typical Two-factor Authentication login, "sufficient" would be replaced by the word "required" so that both would always be needed.

  • The u2f line in the pam.d files must come before @include common-auth, otherwise you'll be required to type in a password before the U2F key is checked.

  • I would be remiss if I didn't point out that using a "2FA" key in this way, while convenient, does not increase your security. In fact, you've only opened a second way to get into your account. But, that's not necessarily bad; not everybody needs high-security and a dongle like this can save you from having an easy to type, short, and vulnerable password.

And so much more!

By the way, these instructions aren't just for devices from Yubico. I'm using a key from Solokeys and it works great. Additionally, the setup works for both USB and NFC keys.

If you need more information, Yubico's instructions — as mentioned in the original question — are fairly informative. Also, see the man pages for pam_u2f and pamu2fcfg.


Here is my approach:

To enable a passwordless sudo with the yubikey do the following

  • Open Terminal.
  • Insert your U2F Key.
  • Run: mkdir -p ~/.config/Yubico
  • Run: pamu2fcfg > ~/.config/Yubico/u2f_keys
  • When your device begins flashing, touch the metal contact to confirm the association.

Now configure sudo to use the key when available (password otherwise) by editing the following file

sudo nano /etc/pam.d/sudo

Add the auth line before the @include

auth sufficient pam_u2f.so
@include common-auth

To use the yubikey as a second factor additionally to your password edit /etc/pam.d/sudo in the following way

@include common-auth
auth       required   pam_u2f.so

Where the auth line is after the @include

Tags:

Login

Yubikey

19.04

Recent Posts