Ubuntu login using Yubikey

With YubiKey you can protects access to computers, networks, and online services.

YubiKey 5 Series eliminates account takeovers by providing strong phishing defense using multi-protocol capabilities that can secure legacy and modern systems. It provides a range of authentication choices including strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign.

To activate 2FA in Ubuntu login interface we need to install libpam-u2f dependency:

# apt-get install libpam-u2f

After that we need to add all our Yubikey keys configuration to the system:

# For first key use command
# pamu2fcfg | sudo tee /etc/u2f_keys

# To add second or more keys use command
# pamu2fcfg -n | sudo tee -a /etc/u2f_keys

Doing this steps we are mostly ready to use our keys as 2FA to login in our OS.

Final step is to add required configuration to PAM module to enable 2FA for all OS users.

Add at the bottom of /etc/pam.d/common-auth file the following line:

auth    required   pam_u2f.so nouserok authfile=/etc/u2f_keys cue

• nouserok is used for a user without an associated key to not ask for 2FA
• authfile tell to look for our file in /etc instead of the default location (home directory)
• cue will activate the touch with message “Please touch the device”

Want to deploy strong authentication across your team or company devices?
→ Explore our PKI Infrastructure & Identity Services