[et_pb_section fb_built=”1″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” text_font=”Roboto||||||||” text_font_size=”20px” text_line_height=”1.8em” background_color=”#efefef” module_alignment=”center” custom_padding=”2%|4%|2%|4%|true|true” global_colors_info=”{}”]<\/p>\n
With the help of YubiKey hardware security keys, your system receives an increased level of protection, and the process of logging into accounts becomes faster and more convenient. To easily configure the necessary parameters on a Linux system, you should follow the instructions below.<\/span><\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” text_font_size=”16px” global_colors_info=”{}”]<\/p>\n Setting up the YubiKey in a Linux environment is slightly different from setting up in other operating systems such as <\/span>Windows<\/span><\/a>. First, you’ll have to do things through the terminal, not the GUI, for setup. Second, you’ll need to make a few adjustments to prevent attackers from bypassing certain restrictions. At the same time, it is important that you do not block yourself from accessing the system.<\/span><\/p>\n Steps to be followed:<\/span><\/p>\n If you plan to use Security Key or YubiKey Bio series keys, please follow the U2F (<\/span>Two-Factor Authentication<\/span><\/a>) key setup instructions below.<\/span><\/p>\n To configure the YubiKey using the U2F function, you can use keys of any series available in our<\/span> online store<\/span><\/a>, even Security Key and YubiKey Bio.<\/span><\/p>\n There are several ways to install Yubico software on Linux. For example:<\/span><\/p>\n More information in the article: \u201c<\/span>How to install Yubico software on Linux<\/span><\/a>\u201d.<\/span><\/p>\n Consider configuring the YubiKey on an Ubuntu system using the U2F feature in the Security Key or YubiKey Bio series (or others). Based on this example, you will be able to make similar settings in systems similar to Ubuntu.<\/span><\/p>\n In order not to lose access to your personal device if the key is lost, add a backup security key. To do this, insert an additional key, run the command in the terminal <\/span> For an added layer of security,<\/b> you’ll also need to move the file <\/span>u2f_keys<\/b> to a safer place. Where you need sudo permission to edit a file (eg <\/span>\/etc<\/span>). <\/span> <\/p>\n For this:<\/span><\/p>\n After the file <\/span>u2f_keys<\/b> will be moved to a safe location, you will need to modify the PAM file as well so that the u2f PAM module can find it later. This is done by adding “<\/span> Note that<\/b>, that after performing these actions, you will lose the ability to modify the file without the key, which may lead to the loss of access to your device. Therefore, we do not recommend performing this step without having a backup security key.<\/span><\/p>\n In this section, we will consider how to configure the keys for the entrance and the terminal and at the same time not to block the entrance. We will also consider how to adjust the system in case of errors. <\/span><\/p>\n The sudo command is used to test that a user does not accidentally lock out their computer. To use it:<\/span><\/p>\n Pay attention!<\/b> If you moved the <\/span>u2f_keys<\/b> file to the <\/span>\/etc\/Yubico\/u2f_keys <\/b>for<\/span> increased security, then you will need to add the authentication file and PAM configuration path like this: <\/span>auth required pam_u2f.so authfile=\/etc\/Yubico\/u2f_keys<\/span>.<\/span><\/p>\n If U2F authentication is successful after completing all the steps, it means that you have everything set up correctly. So you can move on to the next step. <\/span><\/p>\n Note:<\/b> If you don’t want to be prompted for a key when you run sudo, remove the line you just added to the file <\/span>\/etc\/pam.d\/sudo<\/b>. <\/span> <\/p>\n Because the sudo states have different authentication paths in different OS versions, you may need to edit a different directory to configure the PAM information file and make it valid. <\/span><\/p>\n List of editable files to configure authentication available in Ubuntu 22.04. <\/span><\/p>\n <\/p>\n <\/p>\n Find the file you want and add the following line below the “@include common-auth” entry: <\/span> Note.<\/b> If you moved the <\/span>u2f_keys<\/b> file to <\/span>\/etc\/Yubico\/u2f_keys<\/b>, then you will need to add the authentication file and path to the PAM configuration as follows: <\/span> After saving your changes, you need to configure your system to require the YubiKey when using this app.<\/span><\/p>\n <\/p>\n\n
Compatible keys<\/b><\/h2>\n
\nWays to install Yubico software<\/b><\/h2>\n
\n\n
Configuring the YubiKey security key<\/b><\/h2>\n
\n\n
sudo apt-get install libpam-u2f<\/code><\/span>. <\/span> <\/li>\nmkdir -p ~\/.config\/Yubico<\/code><\/span>, then <\/span>pamu2fcfg > ~\/.config\/Yubico\/u2f_keys. <\/code><\/span>The system may then ask for a PIN code to activate the FIDO2 function.<\/span><\/li>\npamu2fcfg -n >> ~\/.config\/Yubico\/u2f_keys<\/code><\/span> and tap the key when it flashes. If you don’t have a spare key yet, you can skip this step and come back to it later. <\/span><\/p>\n\n
sudo mv ~\/.config\/Yubico\/u2f_keys \/etc\/Yubico\/u2f_keys<\/code><\/span>.<\/span><\/li>\n<\/ol>\nauthfile=\/etc\/Yubico\/u2f_keys<\/code><\/span>” to the end of the file line <\/span>pam_u2f.so<\/b> inside the file required for authentication. It is usually located at <\/span>\/usr\/lib\/x86_64-linux-gnu\/security\/pam_u2f.so<\/strong>, but it may vary depending on the settings.<\/span><\/p>\nConfiguring the system to use security keys<\/b><\/h2>\n
\nChecking the configuration using the sudo command<\/b><\/h3>\n
\n
sudo nano \/etc\/pam.d\/sudo.<\/code><\/span><\/li>\nauth required pam_u2f.so<\/code><\/span><\/li>\n<\/ol>\n\n
sudo echo test<\/code><\/span>. The program should prompt you to enter a password. Enter the password and click <\/span>Enter<\/b>. <\/span> <\/li>\n\n
Adding similar sudo commands to request a security key<\/b><\/h4>\n
\n\n
\n The name of the file<\/b><\/td>\n File location<\/b><\/td>\n<\/tr>\n \n runuser<\/span><\/a><\/td>\n \/etc\/pam.d\/runuser<\/span><\/td>\n<\/tr>\n \n runuser -l<\/span><\/a><\/td>\n \/etc\/pam.d\/runuser-l<\/span><\/td>\n<\/tr>\n \n su<\/span><\/a> <\/span><\/td>\n \/etc\/pam.d\/su<\/span><\/td>\n<\/tr>\n \n sudo -i<\/span><\/a><\/td>\n \/etc\/pam.d\/sudo-i<\/span><\/td>\n<\/tr>\n \n su -l<\/span><\/a> <\/span><\/td>\n \/etc\/pam.d\/su-l<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n auth required pam_u2f.so<\/code><\/span>.<\/span><\/p>\nauth required pam_u2f.so authfile=\/etc\/Yubico\/u2f_keys<\/code><\/span>. <\/span> <\/p>\nConfiguring the system for a remote key when entering the system<\/b><\/h3>\n
\n
sudo nano \/etc\/pam.d\/gdm-password<\/code><\/span>. You should receive an answer:<\/span><\/li>\n<\/ol>\n#for Password + YubiKey<\/span><\/code><\/p>\nAdd the line below the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-required<\/span><\/code><\/p>\n#for YubiKey only <\/span><\/code><\/p>\nAdd the line above the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-sufficient<\/span><\/code><\/p>\n\n
System settings on demand when using the terminal<\/b><\/h3>\n
\n
sudo nano \/etc\/pam.d\/login<\/code><\/span>.<\/span> <\/li>\nauth required pam_u2f.so<\/code><\/span>