U2F on Ubuntu 20.04

I have three U2F keys (from left):


YubiKeys are property of company’s I work for, third one – personal – I got by courtesy of CZ.NIC. So I have finally decided to fully use this relatively new technology.

I have checked U2F a few years ago and then it seemed to me that price/performance ratio is pretty low. There were a lot of manual steps to get it working. Like compiling tools from source code. That have changed, installation is simplier and support wider. It seems to me now it makes much more sense for everyone who use computer for serious work. It is quite cheap.

What U2F token can do? It adds second factor to your authentication by expecting you have the device AND you press button on it when asked. Key internally contains some private cryptographic secrets. It should not be possible to access this secrets by any method from outside, for example copy or steal them.

What I, as Linux fan, can do with them?

My current security measures:

  • strong passwords
  • encrypted SSD drives by LUKS
  • SSH limited to public key authentication (and sometimes IP)
  • SSL everywhere
  • mobile phone as 2nd factor for web authentication

Let’s improve it!


  • You may break access to your device AND/OR data. Backup first and then think twice before every action!
  • Consider external sources of failures. What if you have stored wrong setting and there is power outage? Network failure? Computer crashes?
  • Buy at least two keys. If you lose one, you have another.

1. 2nd factor authentication on web

I use Chrome as web browser. Just plug your device in your computer and setup each service you use that supports U2F:

Then, when logging in browser asks you to press button on U2F device for completing authentication.

2. Add second factor for SSH

For this, you need OpenSSH 8.2 (test by “ssh -V” and “sshd -V”) on both client and server. For me that means than before all servers I access are updated I have to have both old school password protected private key and new secured by U2F. For compatible servers I use solely new U2F key and one day I will remove old one.

First generate new U2F certificate:

ssh-keygen -t ecdsa-sk -f ~/.ssh/my_key -C "My description"

It works like this: It generates public and private key files as you would expected if you are familiar with ssh-keygen. But private key does not contain private key, it just contains challenge that was used for building real key. Every time you use it, computer sends challenge from private key to U2F key and there is (after pressing key) reconstructed private key using internal secret. This is used for estabilishing communication with server. Public key works as usually – so you just simple copy it into ~/.ssh/authorized_keys on server (you can use ssh-copy-id utility for that).

Do you need to use password for this type of key? It depends. Attacker would need your private key file with original challenge AND your U2F key. For me this is safe enough and it greatly simplifies work because you do not have to type password every time (or use SSH agent).

3. Add second factor for LUKS encryption

There are some implementations like u2f-luks or fido2luks or yubikey-full-disk-encryption. But neither of them is official nor audited.

So for now I decided not to do this and wait for official support. I do not want to lose my data.

4 Using as second factor in Ubuntu 20.04

Second factor on local computer? Yes!

4.a Prepare PAM support for U2F

First, install support of U2F:

sudo apt-get install libpam-u2f

Then create mappings, run following for every key you own (of course replace username by your real login):

pamu2fcfg -u username >> /etc/u2f_mappings
echo -e "\n" >> /etc/u2f_mappings

Then edit /etc/u2f_mappings, it should be in form:


Change it to following format if you have multiple devices:


In other words, one line per username, username only on beginning of line, multiple keys separated by colon.

4.b Add second factor for system login

Now we entered dangerous zone!

First, open two terminals where you log in as root. For example by “sudo su -”. First is for work, second as fallback. But if your computer crash it this moment you have problem and you have to boot from USB, connect disk and fix it. Keep that in mind.

In first terminal edit /etc/pam.d/sudo and below line @include common-auth add:

auth required pam_u2f.so authfile=/etc/u2f_mappings cue

Then open third terminal and try some sudo command like:

sudo echo Wow

You should be asked for password first and then pressing key on your U2F device. If that works, you can remove added line from /etc/pam.d/sudo and add the same line into /etc/pam.d/common-auth as last line.

Then open new terminal and try “sudo echo Wow”, it should still work. Then try to log in from system console (press CTRL+ALT+F3), it shoul again ask for password and press. You may return to GUI by pressing CTRL+ALT+F2. Finally, try to log out by WIN+L and login back. Again password and press should be required.

4.c Simplify sudo by only relying on U2F

Now, instead of typing password every time you run sudo, I just want to press key on U2F. Here I am on doubts about security. If you are used to lock your computer when you leave it, it is probably fine. Or, in better case, even take your key with you. If not, do not use this method.

Open sudo config /etc/pam.d/sudo, then above line @include common-auth add:

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Parameter “cue” means that propt for key will be displayed.

4.d Confirm other system dialogs only by U2F

This dialog open for example when you try to install package from software center. Approach is similar to sudo in 4.c. Only put that line in /etc/pam.d/polkit-1

This was adviced by raj on my question on AskUbuntu.

Usefull sources

Tags:  linux  Ubuntu