Secure your local login with yubikeys
hello all
just returned from hacker summer camp and have acquired a couple of new yubikeys specifically the four and the four nano and have been configuring them in my gentoo install just for login.
below are the steps to set this up in gentoo and pam for required authentication. this article assumes that you have already configured your yubikeys so i will not go through how to config them.
the first bunch of packages that we have to install :
[I] sys-auth/pam_u2f Available versions: (~)1.0.4 {debug} Installed versions: 1.0.4(03:25:01 PM 08/10/2016)(-debug) Homepage: https://github.com/Yubico/pam-u2f Description: Library for authenticating against PAM with a Yubikey [I] sys-auth/pam_yubico Available versions: (~)2.17-r1 (~)2.19-r1 {ldap test} Installed versions: 2.19-r1(02:36:23 PM 08/10/2016)(-ldap -test) Homepage: https://github.com/Yubico/yubico-pam Description: Library for authenticating against PAM with a Yubikey
so the emerge line would be sudo emerge -av pam_u2f pam_yubico
once that is installed we are going to create /etc/pam.d/yubico with the contents of :
auth required pam_u2f.so cue interactive
and now we need to create the u2f_keys file under ${HOME}/.config/Yubico using the pamu2cfg utility:
sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys
double check this file if you are putting in more than one entry to ensure that each line is separate.
once this is done, we are going edit bot /etc/pam.d/login and /etc/pam.d/passwd and add to both the line:
auth include yubico
once everything is saved, lets test it by pressing alt + ctrl + f2 — this will open a new session without logging you out.
and bam. fully set up.
Leave a Reply