Two-Factor Auth and/or Passwordless Login on Arch Linux Using u2f Physical Keys
By WretchedGhost
- 5 minutes read - 879 wordsCredit Where Credit Is Due
I used a lot of https://old.jamesthebard.net/archlinux-and-u2f-login/ config but then tweaked it and added a litle more explination as his entry was from 2017~.
Let’s Start the Rant
I have always wanted a way to get away from always having to type in password to login or use sudo. There are security concerns by allowing this type of login, one is the fact that anyone who possesses my key could then login and run as sudo, also is the factor that with some tweaking you can make it only allow for key entry via u2f. A third way, which is the most secure way, is to have it where you must type in the password and possess the u2f hardware key to login.
Although, I seek out security over convenience most often, the case where logging into my work laptop, a beefy and by beefy I mean beefy like a cow Dell Rugged Extreme Latitude 7424, can be a real chore. The keys are very hard and the chiclet keys are spaced in a way where I have to type in my password several times before my finger muscle memory slows down and makes sure the correct keys are typed in the order they need to be typed in. This laptop has really annoyed me in that factor, hence my desire for a new way to login.
What is u2f
For those of you who don’t know u2f stands for “universal second factor” which like its namesake is a second factor authentication that is prized on being universally accepted. Many websites are allowing for this type of authentication for their sites. In my case, my Linode and Namecheap logins are set to require a u2f login on top of my password. Other sites are still using a app authenticator which is good but not great if you lose your phone or it gets damaged, then an app auth can really be an issue. The case that if you lose a key is a valid one but you are more likely to have a second u2f hardware key (you should at least have two or more) than you are to have two phones that run the app auth. In my case I have both several hardware keys and two phones, one for work and my personal, but this is besides the point.
WARNING: This might work on other systems but I have only seen it done on Arch, BTW and that is how I will be doing it today.
Step 1:
We must install the u2f pam program found in the arch repo. There is a AUR instance named pam_u2f-git but I found it to be buggy and it did not install all the proper dependencies on a new install for my laptop so I recommend only using the Arch repo version.
sudo pacman -S pam-u2f autoconf libtool libu2f-server libfido2
If asciidoc, libxml2, and docbook-xml don’t get installed automatically after running the above commands install them now.
sudo pacman -S asciidoc libxml2 docbook-xml
Next, we need to add the physical key generated code to u2f_mappings file. Insert the u2f key into the laptop then run:
sudo pamu2fcfg -u(username)
or in my case
sudo pamu2fcfg -uwretchedghost
Then when prompted press the touch key when it lights up. If prompted for a password enter the pin you created on your key. I believe YubiKey may or may not have one, though the default from their site seems to suggest its 123456.
A bunch of characters will be displayed in this format:
wretchedghost:(lots of numbers and letters and junk)
Create a file named /etc/u2f_mappings and add the string of the text into that file. If you want to add multiple keys, all you have to do is at the end of the first key add a : then place the new text from the other key.
cat /etc/u2f_mappings
wretchedghost:(lots of text):(new key with lots of text)
Make sure to only have your username used once and the entire config should exist on only one line.
Step 2:
We next need to edit the /etc/pam.d directory where we will edit the system-auth file. In my Arch config mine looks like this:
What I added was auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue mode=challenge-response right above auth [success=1 default=bad] pam_unix.so try_first_pass nullock.
What this will do is it will detect if a u2f USB device has been plugged in and if so will ask that you press the key when using sudo. If no u2f device is detected the prompt will be a normal insert your sudo password prompt.
It is recommended to change the mode of the /etc/u2f_mappings to either 400 if you don’t want anybody even root to edit the file or in my case 600 since I might be adding more keys I want root to have read/write privileges.
chmod 400 /etc/u2f_mappings
or to allow root to still edit.
chmod 600 /etc/u2f_mappings
Step 3
Logout or reboot to get the key working across the board for your user.
Update
Additional users can be added to the same u2f_mappings file. All you need to do is start a new line for that user. Make sure there are no empty lines between the first user’s keys and the second and so on.