Warning: This blog post includes instructions for a procedure that
can lead you to lock yourself out of your computer. Even if everything
goes well, you'll be hunted by dragons. Keep backups, have a rescue
system on a USB stick, and wear flameproof clothing. Also, have fun,
and tell your loved ones you love them.
I've recently gotten two
U2F keys. U2F is a open standard for
authentication using hardware tokens. It's probably mostly meant for
website logins, but I wanted to have it for local logins on my laptop
running Debian. (I also offer a line of stylish aluminium foil hats.)
Having two-factor authentication (2FA) for local logins improves
security if you need to log in (or unlock a screen lock) in a public
or potentially hostile place, such as a cafe, a train, or a meeting
room at a client. If they have video cameras, they can film you typing
your password, and get the password that way.
If you set up 2FA using a hardware token, your enemies will also need
to lure you into a cave, where a dragon will use a precision flame to
incinerate you in a way that leaves the U2F key intact, after which
your enemies steal the key, log into your laptop and leak your cat GIF
collection.
Looking up information for how to set this up, I found a blog post by
Sean Brewer, for Ubuntu 14.04. That got me started. Here's what I
understand:
- PAM is the technology in Debian for handling authentication for
logins and similar things. It has a plugin architecture.
- Yubico (maker of Yubikeys) have written a PAM plugin for U2F. It is
packaged in Debian as
libpam-u2f
. The package includes documentation
in /usr/share/doc/libpam-u2f/README.gz
.
- By configuring PAM to use
libpam-u2f
, you can require both password
and the hardware token for logging into your machine.
Here are the detailed steps for Debian stretch, with minute
differences from those for Ubuntu 14.04. If you follow these, and lock
yourself out of your system, it wasn't my fault, you can't blame me,
and look, squirrels! Also not my fault if you don't wear sufficient
protection against dragons.
- Install
pamu2fcfg
and libpam-u2f
.
- As your normal user,
mkdir ~/.config/Yubico
. The list of allowed
U2F keys will be put there.
- Insert your U2F key and run
pamu2fcfg -u$USER >
~/.config/Yubico/u2f_keys
, and press the button on your U2F key when
the key is blinking.
- Edit
/etc/pam.d/common-auth
and append the line
auth required pam_u2f.so cue
.
- Reboot (or at least log out and back in again).
- Log in, type in your password, and when prompted and the U2F key is
blinking, press its button to complete the login.
pamu2fcfg
reads the hardware token and writes out its identifying data
in a form that the PAM module understands; see the
pam-u2f
documentation for details. The data can be stored in the user's home
directory (my preference) or in
/etc/u2f_mappings
.
Once this is set up, anything that uses PAM for local authentication
(console login, GUI login, sudo, desktop screen lock) will need to use
the U2F key as well. ssh logins won't.
Next, add a second key to your
u2f_keys
. This is important, because if
you lose your first key, or it's damaged, you'll otherwise have no way
to log in.
- Insert your second U2F key and run
pamu2fcfg -n > second
, and press
the second key's button when prompted.
- Edit
~/.config/Yubico/u2f_keys
and append the output of second
to
the line with your username.
- Verify that you can log in using your second key as well as the first
key. Note that you should have only one of the keys plugged in at
the same time when logging in: the PAM module wants the first key
it finds so you can't test both keys plugged in at once.
This is not too difficult, but rather fiddly, and it'd be nice if
someone wrote at least a way to manage the list of U2F keys in a nicer
way.