Using SoloKey for Linux Login

So yesterday I told about the security keys I use and today I thought I would tell a bit about how I use the SoloKey as an extra security precaution on my Linux computers.

So first thing first: This would not (yet) be possible with some groundwork done by the team from Yubico. They have created the PAM (Plugable Authentication Module) module needed for doing U2F authentication. This is also why we get the software from them in the first place (it is also available from github if you want to verify or modify the source code.

Installation

I primarily use Ubuntu and Arch linux on my machines but in this I will describe how to install it in these Linux distributions.

Arch Linux:

sudo pacman -S pam-u2f

Ubuntu Linux:

sudo add-apt-repository ppa:yubico/stable && sudo apt update sudi apt install libpam-u2f

In order for your SoloKey to get recognized by the udev system in Linux, you will have to add a rule for it to udev. This is done by creating a new udev rule file:

sudo vim /etc/udev/rules.d/70-solokeys.rules

Add the following lines to the file and save it:

ACTION!="add|change", GOTO="solokeys_end" # SoloKeys rule KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", TAG+="uaccess" LABEL="solokeys_end"

Reload udev so the new rule will be active:

sudo udevadm control --reload-rules

Now you are ready to use your solokey in Linux and can move on to configuring pam.

Configuration

Now that we have the pam module installed, it is time to add your SoloKey to it. I have chosen to have my configuration for my user as a personal configuration in my home folder. This can also be done via /etc but I will not cover that this time.

Create the configuration folder for the keys storage:

mkdir ~/.config/Yubico

It is important that it is called Yubico exactly as here, as the pam module is hardcoded to use this location.

The pam module comes with a configration tool that can be used to create the keys-strings in the configration for your SoloKeys. Simply plugin your solokey into the USB port and then in a terminal run the following command:

pamu2fcfg > ~/.config/Yubico/u2f_keys

Again the file name is important.

Your SoloKey will start to blink and this means you need to press the key. Notice that sometimes you have to hold down the button for a second or so for it to react. When pamu2fcfg has Identified your device it will let you know in the console.

It is highly recommended to have a backup key as you will be completely locked out if your only key gets stolen, breaks or something.

If you add another key, then it is very important that you do not use the previous command for the new key but instead use the following (it adds a newline and appends to the file instead of overwriting it):

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

SoloKeys and sudo

Now your key is registered and ready for PAM to use it. The best way to test this is to change the authorization scheme for the sudo command. Before doing so, please do consider to open an extra terminal and change to become root with the “sudo su” or “sudo /bin/bash” command. This way you will have a way to get in and disable your changes if something has gone wrong.

Now you can change the pam config file for sudo:

sudo vim /etc/pam.d/sudo

Find a line near the begining of the file that looks like:

@include common-auth

and add the following line right after it:

auth required pam_u2f.so

This says that afther the common login (your normal sudo password prompt) you will be requested to use pam_u2f (your solokey).

save the file and then try something simple like:

sudo echo "SoloKeys rock"

if no SoloKey is inserted into the usb port then it will fail after the password was written. If the soloKey is inserted then it will start blink and you will then have around 10 seconds to press the button on the solokey. Again you might have to hold the button for a second or so for it to get registered.

If everything has gone as planned, then you will see it print “SoloKeys Rock” to the terminal.

SoloKeys and the desktop

Now you are ready to change your desktop login to use the key as well.

The procedure is the same, but this time look for the pam config file called :

/etc/pam.d/gdm-password # if you use gdm for login /etc/pam.d/lightdm # if you use lightdm

Add the line to the file the same way and same location as described above for sudo. After this point you can log out of your desktop and then try to login again. You login will fail if you do not have the solokey inserted in the USB port.

The solokey will blink after you inserted your password and then you need to press the button to get fully logged into your desktop.

You can do the same change for other files in /etc/pam.d/ so if you for instance use the gnome screensaver, then you can add the line to /etc/pam.d/gnome-screensaver and if you will require it for the common console login (if you boot up without desktop or run a server, then you can add it to /etc/pam.d/login ).

A note of warning: You can get really locked out of your system if you do not do this the right way. If that happens, then boot your system in recovery mode or (single mode) and then revert your changes.

Hope this helps getting you to love your SoloKey even more – I know I did!

PS: this will of course also work with OnlyKey U2F and yubikeys.