[PAM] U2F with FIDO2 keys - Success In Software

PAM U2F enables the use of FIDO2 keys for system login. Here’s a brief introduction on how to configure PAM U2F for use with FIDO2 keys on Debian/Ubuntu.

As of april 2020, the latest version released pam_u2f-1.0.8 is not working as intended. Make sure to use the latest github source. At least these commits are required : 23a099 and de9731.

~# apt install pamu2fcfg libpam-u2f

Configuration is specified in /etc/pam.d/pamu2f:

auth [success=1 system_err=ignore] pam_exec.so quiet type=auth /usr/local/sbin/is_remote.sh
auth required pam_u2f.so authfile=.ssh/u2f_keys [prompt=Please insert your FIDO2 device, then press ENTER.] interactive cue [cue_prompt=Please touch your FIDO2 device now.] nodetect

Note: these are two separate, long lines.

The first line makes PAM skip the pam-u2f line in case a user is logging in remotely (remote U2F authentication is feasible now, see openssh-2fa-fido2). However, local services wouldn’t be authenticating via pam-u2f any further. That’s what the second line is mitigating.

Create a shell script which is determining local remote login in /usr/local/sbin/is_remote.sh:

#!/usr/bin/env bash
ip="$(last -i -p now "${PAM_TTY#/dev/}" | head -1 | sed 's/.* \([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\) .*/\1/g')";
if test "$ip" != "0.0.0.0"; then
  exit 0;
else
  exit 1;
fi;

PAM U2F requires a token mapping file, i.e. .ssh/u2f_keys. It can be a global (read: system-wide) file containing tokens for all users (which is just impractical). Rather, make it a per-user token mapping file, i.e. create ~/.ssh/u2f_keys — even so PAM U2F isn’t restricted to ssh authentication only– with this syntax:

foobar:<key0>[:key1[:keyN]]

The key can be obtained by registering the U2F key via pamu2fcfg. Plug in your U2F key, start the registration process and press/touch the button:

~# pamu2fcfg >> ~/.ssh/u2f_keys

To register multiple keys for a single user, edit the file (~/.ssh/u2f_keys) so that the one single line follows the syntax given above.

HINT: BEFORE testing your new PAM settings, open one or two additional root shells. Just in case you need to deactivate a non-functional PAM configuration. You’ve been warned. 😉

For the next pam-u2f release support for OpenSSH 2FA FIDO2 is scheduled. For those of you seeking support for OpenSSH and 2FA with TOTP, look here.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.