If you have a Yubikey with U2F support for Linux, you can use its U2F functionality for a 2nd factor or single factor for logins, sudo passwords, and more. This is accomplished by the pam-u2f module, and the instructions commonly returned in searches aren’t for the faint of heart, especially when get into editing the files in /etc/pam.d/. Recent versions of Fedora ship with
authselect which can make this process a lot easier. U2F support isn’t baked in,s but it’s easy enough to find on GitHub. Grab your Yubikeys (you do have a primary and a backup, right?) and follow along.
The main packages required are
pamu2fcfg. The following will cover the bases in case you have a minimal install:
Create the u2f_keys file and include values from as many U2F devices as applicable (additional background here):
1 2 3 4 5 6 7 8 9 10
Grab a udev rules file to allow access for non-root users (additional background here):
1 2 3 4 5 6
pam-u2f installed and the keys added in u2f_keys, the final step is adding configurations to files in /etc/pam.d/; thankfully authselect makes this less intimidating. The version that ships with Fedora 29 (as of this writing) does not include the U2F option, so we’ll create a custom profile based on sssd and grab the files from GitHub. Uncomment the
diff command to see how minimal the changes are that we are getting:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
On my system, I was able to use my Yubikey’s U2F mode to login after a reboot with Gnome, and for issuing
sudo. To make the U2F required as part of a two-factor login or similar, you’ll need to dig into the /etc/pam.d/ files. Rather than edit directly, edit the files in /etc/authselect/custom/sssd-u2f/ and apply with
For some further reading, the RHEL 8 Beta page on authselect has a ton of great information. I’m glad to see
authselect will make it from Fedora to RHEL!
(I haven’t used Fedora 29 as a desktop for long, so please let me know @alanthing if you have any feedback!)