This configuration is primarily for Ubuntu 20.04. I have implemented this setup on Ubunut 16.04 and 14.04 previously, but some of the primary tools and the pam module name have changed.
The older OS used the pam_yubico module and required more configuration of the yubikey before you could begin.
You need to install the ppa and them the required modules
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install libpam-u2f
sudo apt install libpam-yubico yubikey-managerI drew alot of this guide, which is older https://code.litomisky.com/2014/01/01/ubuntu-yubikey-2fa-config/, but lays out the basic structure:
- Create a group (called yubikey) and put users that require the yubikey in this group.
sudo groupadd yubikey
sudo usermod -aG yubikey username- Create an admin user with all privileges that does NOT need a yubikey to login. This will be your way in to fix things if needed. After everything is working, give this user a complicated password and save it somewhere safe.
Add the first key ths way
mkdir ~/.yubico
pamu2fcfg > ~/.yubico/u2f_keysA second key can be added similarly, only one key plugged into the computer at a time. The -n flag changes the output to make it useful for appending.
pamu2fcfg -n >> ~/.yubico/u2f_keysI like to put the keys in a directory controlled by root to protect them.
sudo mkidr /var/yubico
sudo cat .yuboco/u2f_keys >> /var/yubico/u2f_keysIn order to use the u2f_keys here, the username for the key must be put into the u2f_keys files. This step will allow the key to be associated with the user. This part is left out of the yubikey guide.
The u2f_keys file will look like this
:<bunch of random looking characters>Edit it to include the username associated with the key befor the colon
user:<bunch of random looking characters>create a file /etc/pam.d/yubikey:
# should be inluded in # common-auth before all the other commands # use: # @include yubikey auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey # auth sufficient pam_u2f.so authfile=/var/yubico/u2f_keys auth required pam_u2f.so authfile=/var/yubico/u2f_keys # example of debug if there are issues #auth required pam_u2f.so authfile=/var/yubico/u2f_keys debug debug_file=/var/log/pam_u2f.log
If you include this file in common-auth as suggested, this will check for a yubikey for all users in the yubikey group.
If there are issues, use the last line with the debug information turned on, and look to see what the error messages are. This is how I found out that the username needed to be in the u2f_keys files.
If you only want the yubikey to be used for certain authentication operations like sudo or login, you can @include the yubikey file in those configs.
With this setup, you can use ssh to log in with ssh keys and bypass the yubikey, but you will not be able to sudo or use escalated privileges unless your yubikey is physicially plugged into the computer and you can touch the button when needed.
https://code.litomisky.com/2014/01/01/ubuntu-yubikey-2fa-config/