Ubuntu Yubikey Authentication in the Real World

With the rise of support for multi-factor authentication in popular services and devices, the YubiKey family of hardware tokens has risen in popularity. Hardware tokens are more secure than using SMS as a delivery method because an attacker has to steal them from you and can't do so remotely.

Yubico, the manufacturer of the YubiKeys has excellent guides for different use-cases of their tokens, but I found that the one for Ubuntu lacks in the real world:

It does not expect an encrypted filesystem and fails on such systems.

It describes how to secure sudo and the window manager login, but leaves TTY logins open.

This guide makes touching the YubiKey mandatory for any login, including `sudo` privilege gains and screensaver unlocks. Note that this does not work with SSH. I don't have SSH enabled on my workstations and making this work exceeds the scope of this guide.

My primary USB-C YubiKey, plugged into my laptop.

The cool thing about hardware tokens is that they always work if you have them on you, and this makes them realistic to secure logins to your workstation or laptop. Imagine waiting for an SMS message every time or what happens when you are on a plane with no cellular connection.

Important: I can't guarantee that any of this works (it did for me on several laptops and workstations) and you have to be careful to not lock you out of your systems. It's good practice to always leave a terminal open in case you make a mistake. Be careful.

The Key

After finishing this guide, there is no way to login to your computer without touching the YubiKey, and this includes screensaver locks. This new reality is why it's crucial to always have the key on you. I've forgotten mine a few times and had to turn around to get it. (that's the whole point of this exercise)

In the last months, I have created a habit of always having the key on me and grabbing it in the morning just like I grab my key card.

Keep the key somewhere where you can quickly grab it at all times no matter if you are standing, sitting in the office or an economy class seat. Also, consider keeping the key in your USB port while you are around and make it easy to detach.

A solution that works perfectly for me is a cable key ring attached to a carabiner that attaches to a belt loop. I chose a small carabiner with a little screw lock to avoid drawing too much attention to this nerdiness.

I am using the USB-C key because it's tiny, works on my laptop without a USB adapter and feels more sturdy than the standard USB plastic keys.

Backup Keys

Given that you can't use your computer without the key, what happens if you lose or break it?

The solution is simple: We'll authorize multiple keys for your computer, so you can keep a backup easily accessible and another one in a safe place, together with passports, visa documents and other stuff you don't want to lose.

Ubuntu Configuration

I've tested my configuration on Ubuntu 18.10 and 18.04 but, given the stability of PAM, I expect this to work on more recent Ubuntu releases, too.

Step 1: Follow the instructions in the official guide to install libpam-u2f on your systems.

Step 2: Associate all your YubiKeys as allowed devices.

This point is where the guide starts to fall short because it does not describe how to associate multiple keys, and it also does not consider disk or home directory encryption. Because your operating system only decrypts the file that lists your authorized devices when your user logs in, it can't be used to authorize the login, and you are effectively logged out. This problem is why we deviate from the official guide and use /etc to store the key signatures.

To associate your first key, run pamu2fcfg like this:

$ pamu2fcfg > ~/u2f_keys

When the LED on your key blinks, touch it to confirm the association.

This will create a new file with the signature of your first key. Now add any additional key, like this: (notice the use of -n and >> )

$ pamu2fcfg -n >> ~/u2f_keys

Remember to touch each key to confirm the association. When you are done with all keys, move the file to /etc where it can be read even when your user is not logged in yet:

$ sudo mv ~/u2f_keys /etc/u2f_keys

Step 3: Always require YubiKey authentication

The Yubico guide describes how to require YubiKey authentication for sudo and the window manager login but leaves out all other ways a user might authenticate. For example, by pressing alt+ctrl+F2 , an attacker could simply TTY login and bypass multi factor authentication entirely. Luckily. the common-auth PAM rules are included in other rules, so that we can use this as a general entry point.

Open /etc/pam.d/common-auth and add this line to the end of the file:

auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue

Leave the sudo authenticated shell open (in case you need to revert the change) start a new terminal, and try to run something as sudo :

$ sudo echo foo

The sudo process should now ask you for your password as always, but right after you entered the password and pressed enter, it should ask you to touch the YubiKey to finish the process.

Test the same procedure with the window manager login, TTY logins and screensaver unlocks.

That's it! From now on, your computer is relatively useless without an authorized YubiKey around.

The last question: Is this necessary? I think it depends on your threat model. For many people, starting actually to lock their computers when they leave them unattended is probably a much bigger problem to solve first.