U2F intro

Universal Second Factor (U2F) devices were invented as a second factor for websites using two factor authentication. The website sends a challenge, the U2F device responds to it if its button is pressed. The device only provides a small LED that starts blinking as soon as the device wants to you to touch it and thus confirm the usage.

But you cannot only use U2F devices for websites. Using PAM’s pam_u2f module, you can plug it into any service that uses PAM.

Low hanging fruit

I used openSUSE Tumbleweed on my laptop, and successfully configured my U2F devices for the following services

  • console login, using /etc/pam.d/login
  • sudo and sudo -i, using /etc/pam.d/sudo and /etc/pam.d/sudo-i respectively
  • graphical login using SDDM (/etc/pam.d/sddm) or lightdm (/etc/pam.d/lightdm)

All of those services worked flawlessly, as soon as I

  1. installed the pam_u2f package
  2. added a line to their respective pam configuration and
  3. configured the device using pamu2fcfg
sudo zypper in pam_u2f
cat /etc/pam.d/login
auth     requisite      pam_nologin.so
auth     sufficient     pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue
auth     include        common-auth

Make sure to add the line containing pam_u2f.so before the include for common-auth.

pamu2fcfg > /etc/Yubico/u2f_keys

After the configuration, you only need to trigger a PAM activity (login attempt, sudo call, …) and your device will start to flash its LED. Touch the button, done.

Conquering the KDE lock screen

Wow, that was easy. Getting KDE’s lock screen to work turned out to be a little trickier. While the other services were using root privileges and it was fine to have the root user in the configuration file, kscreenlocker runs as your user. Therefore it needs to have access to your U2F device.

Use the udev rule from the official documentation and put it into /etc/udev/rules.d/. Then restart udevd via systemctl restart systemd-udevd and remove your device. After re-attaching the device, check if you get any output when issuing pamu2fcfg as your user. If not, go debugging…

If you do get output, configure the device and put the resulting file into your home directory, which is the default location pam_u2f looks for ‘Authorization Mapper Files’, as they are called officially:

mkdir -p $HOME/.config/Yubico/
pamu2fcfg > $HOME/.config/Yubico/u2f_keys

Configure it using /etc/pam.d/kscreenlocker, but add the following line:

auth     sufficient     pam_u2f.so      openasuser

Then keep your fingers crossed and try if it works. Lock your screen and type a key or move your mouse to show the password prompt. Then you need to hit RETURN (yes, you did not specify a password), which will restart the pam authentication. Your device’s LED should blink, you touch the button and your screen is unlocked. Magic…

Bonus points: Lock your screen if you remove your device

Unlocking your lock screen with your U2F device is pretty nice, but you should remember to lock your screen. And remove the device. Wouldn’t it be awesome if you had to think of only one thing? The next part will cover how to do that with a simple udev rule.

Johannes Kastl
Johannes is a Linux trainer and consultant and has been with B1 Systems since 2017. His topics include configuration management (Ansible, Salt, Chef, Puppet), version control (git), Infrastructure as Code (Terraform) and automation (Jenkins) as well as testing (Inspec, anyone?). At daytime he works as a sysadmin and fixes problems, at night he tries new technologies like Kubernetes (openSUSE Kubic!), podman or transactional-updates.