I have three U2F keys (from left):
YubiKeys are property of company’s I work for, third one – personal – I got by courtesy of CZ.NIC. So I have finally decided to fully use this relatively new technology.
I have checked U2F a few years ago and then it seemed to me that price/performance ratio is pretty low. There were a lot of manual steps to get it working. Like compiling tools from source code. That have changed, installation is simplier and support wider. It seems to me now it makes much more sense for everyone who use computer for serious work. It is quite cheap.
What U2F token can do? It adds second factor to your authentication by expecting you have the device AND you press button on it when asked. Key internally contains some private cryptographic secrets. It should not be possible to access this secrets by any method from outside, for example copy or steal them.
What I, as Linux fan, can do with them?
My current security measures:
Let’s improve it!
I use Chrome as web browser. Just plug your device in your computer and setup each service you use that supports U2F:
Then, when logging in browser asks you to press button on U2F device for completing authentication.
For this, you need OpenSSH 8.2 (test by “ssh -V” and “sshd -V”) on both client and server. For me that means than before all servers I access are updated I have to have both old school password protected private key and new secured by U2F. For compatible servers I use solely new U2F key and one day I will remove old one.
First generate new U2F certificate:
It works like this: It generates public and private key files as you would expected if you are familiar with ssh-keygen. But private key does not contain private key, it just contains challenge that was used for building real key. Every time you use it, computer sends challenge from private key to U2F key and there is (after pressing key) reconstructed private key using internal secret. This is used for estabilishing communication with server. Public key works as usually – so you just simple copy it into ~/.ssh/authorized_keys on server (you can use ssh-copy-id utility for that).
Do you need to use password for this type of key? It depends. Attacker would need your private key file with original challenge AND your U2F key. For me this is safe enough and it greatly simplifies work because you do not have to type password every time (or use SSH agent).
There are some implementations like u2f-luks or fido2luks or yubikey-full-disk-encryption. But neither of them is official nor audited.
So for now I decided not to do this and wait for official support. I do not want to lose my data.
Second factor on local computer? Yes!
First, install support of U2F:
Then create mappings, run following for every key you own (of course replace username by your real login):
Then edit /etc/u2f_mappings, it should be in form:
Change it to following format if you have multiple devices:
In other words, one line per username, username only on beginning of line, multiple keys separated by colon.
Now we entered dangerous zone!
First, open two terminals where you log in as root. For example by “sudo su -”. First is for work, second as fallback. But if your computer crash it this moment you have problem and you have to boot from USB, connect disk and fix it. Keep that in mind.
In first terminal edit /etc/pam.d/sudo and below line @include common-auth add:
Then open third terminal and try some sudo command like:
You should be asked for password first and then pressing key on your U2F device. If that works, you can remove added line from /etc/pam.d/sudo and add the same line into /etc/pam.d/common-auth as last line.
Then open new terminal and try “sudo echo Wow”, it should still work. Then try to log in from system console (press CTRL+ALT+F3), it shoul again ask for password and press. You may return to GUI by pressing CTRL+ALT+F2. Finally, try to log out by WIN+L and login back. Again password and press should be required.
Now, instead of typing password every time you run sudo, I just want to press key on U2F. Here I am on doubts about security. If you are used to lock your computer when you leave it, it is probably fine. Or, in better case, even take your key with you. If not, do not use this method.
Open sudo config /etc/pam.d/sudo, then above line @include common-auth add:
Parameter “cue” means that propt for key will be displayed.
This dialog open for example when you try to install package from software center. Approach is similar to sudo in 4.c. Only put that line in /etc/pam.d/polkit-1
This was adviced by raj on my question on AskUbuntu.