Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
/ yubikey-ubuntu Public archive

yubikey configuration on Ubuntu (KDE Neon)

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jbouter/yubikey-ubuntu

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
files
files
 
 
README.md
README.md
 
 

Repository files navigation

Yubikey on Ubuntu (KDE Neon) 18.04

BEFORE YOU START: IT IS HIGHLY RECOMMENDED TO HAVE A BACK-UP YUBIKEY

My setup is specific to my desires/needs/wants. Feel free to copy.

Basic idea of my setup:

  • Require password + Yubikey for all login sessions (TTY, sddm, gdm, lock screen)
  • Require only yubikey for sudo

All files mentioned below are included in full in the files directory within this repository

Installation

Following the regular installation

Add the ppa:

sudo add-apt-repository ppa:yubico/stable && sudo apt update

Add the package:

apt install libpam-u2f

Configure yubikey for your account according to the installation manual

For more packages (such as OTP), see here

pam.d configuration

My setup is specific to my desires/needs/wants. Feel free to copy

All logins

In order to require password + yubikey for all my logins, I've modified /etc/pam.d/common-auth. At the bottom of the file, add:

# u2f
auth required pam_u2f.so cue

Sudo specific

In order to only require yubikey for sudo, I've modified /etc/pam.d/sudo. Insert the u2f line above the inclusion of @common-auth so touching the yubikey will suffice. Add cue to receive visual feedback.

auth   sufficient pam_u2f.so cue
@include common-auth

Obviously, leave the rest of the file untouched.

udev.d configuration

Sources:

I also wanted to lock my screen the moment my yubikey is removed from the USB port. To do this, I've created udev rules.

The udev rule in /etc/udev/rules.d/20-yubico-u2f.rules:

ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", RUN+="/usr/local/sbin/lockscreen.sh"

Check your MODEL_ID and VENDOR_ID by running udevadm monitor --environment --udev and unplugging your yubikey.

Then, create /usr/local/sbin/lockscreen.sh with the following content:

#!/bin/bash

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

loginctl lock-sessions

Mark the script as executable:

chmod 755 /usr/local/sbin/lockscreen.sh

Check that the script works by running it (either as root as your own user. udev RUN commands are executed by root, so it should work as root).

If everything works as desired, let's reload udev:

sudo udevadm control --reload-rules

About

yubikey configuration on Ubuntu (KDE Neon)

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages