pages/yubikey: add pam_u2f alternative

Apparently there is also pam_u2f as alternative to pam_yubico which is a
more general approach using the open FIDO2 / U2F standard. It's much
easier to setup as there are fewer possibilities and decisions to make.

This approach also supports more security keys like SoloKey v2 and
NitroKey 2/3 which could open possibility to create a dedicated security
key page for general key support in Fedora Linux.
This commit is contained in:
w4tsn 2023-03-11 11:02:14 +01:00
parent 21f8895d16
commit ff8060af9f
No known key found for this signature in database

View file

@ -40,17 +40,34 @@ For some features private keys and other secrets are stored on the YubiKey. Each
== Using a YubiKey to authenticate to a machine running Fedora == Using a YubiKey to authenticate to a machine running Fedora
Local system authentication uses https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam[Pluggable Authentication Modules (PAM)]. There are two ways to configure the YubiKey PAM module to authenticate users. Either via the YubiCloud or using challenge-response. The YubiCloud is the standard method but depends on Yubico's cloud to validate your OTPs and hence requires constant internet access. Local system authentication uses https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam[Pluggable Authentication Modules (PAM)]. You have two options here: pam_yubico and pam_u2f. The former is required for YubiKeys without FIDO2/U2F. If your key supports the FIDO2 standard depends on firmware and hardware model.
The setup is as follows: install the PAM module, register a YubiKey with your user account, create base configuration for either of the two authentication options and then choose the PAM configuration you want to use the YubiKey. The setup is as follows: install the PAM module, register a YubiKey with your user account, create base configuration for either of the two authentication options and then choose the PAM configuration you want to use the YubiKey with.
=== Dependencies
The packages required for both PAM modules are available in the official repositories.
==== For pam_yubico
Install the PAM yubico module from the official repositories: Install the PAM yubico module from the official repositories:
[source, bash] [source, bash]
[…]$ sudo dnf install pam_yubico […]$ sudo dnf install pam_yubico
==== For pam_u2f
Install the PAM u2f module and the CLI tool from the official repositories:
[source, bash]
[…]$ sudo dnf install pam-u2f pamu2fcfg
=== Base configuration files === Base configuration files
==== For pam_yubico
There are two ways to configure the YubiKey PAM module to authenticate users. Either via the YubiCloud or using challenge-response. The YubiCloud is the standard method but depends on Yubico's cloud to validate your OTPs and hence requires constant internet access.
Create two base configuration files in /etc/pam.d. yubikey-required and yubikey-sufficient. Create two base configuration files in /etc/pam.d. yubikey-required and yubikey-sufficient.
For YubiCloud use the following: For YubiCloud use the following:
@ -98,8 +115,27 @@ You may add the debug option at the end of these lines right after the mode opti
If you want to use both methods for different use-cases just create the respective configuration files and use them as includes as described in the next section accordingly. If you want to use both methods for different use-cases just create the respective configuration files and use them as includes as described in the next section accordingly.
==== For pam_u2f
Create two base configuration files in /etc/pam.d. u2f-required and u2f-sufficient.
[source]
#%PAM-1.0
auth required pam_u2f.so
[source]
#%PAM-1.0
auth sufficient pam_u2f.so
[NOTE]
====
You may add the debug option at the end of these lines right after the mode option to get troubleshooting information in journald.
====
=== Register YubiKey(s) with your local account(s) === Register YubiKey(s) with your local account(s)
==== For pam_yubico
If you use the online YubiCloud method you need the ID of your YubiKey. For this just enter the key and retrieve an OTP code with a short press on the button and extract the first 12 characters - this is your key ID. If you use the online YubiCloud method you need the ID of your YubiKey. For this just enter the key and retrieve an OTP code with a short press on the button and extract the first 12 characters - this is your key ID.
[source] [source]
@ -121,6 +157,19 @@ Or for any other system user using sudo.
[source, bash] [source, bash]
[…]$ sudo -u someuser ykpamcfg -2 […]$ sudo -u someuser ykpamcfg -2
==== For pam_u2f
Use the tool pamu2fcfg to retrieve a configuration line that goes into ~/.config/Yubico/u2f_keys. This configuration line consists of a username and a part tied to a key separated by colon.
[source]
fedora-user:owBYtPIH2yzjlSQaRrVcxB...Pg==,es256,+presence
If the key is PIN protected you'll be asked to enter the PIN for this operation.
[source, bash]
[…]$ mkdir -p ~/.config/Yubico
[…]$ pamu2fcfg >> ~/.config/Yubico/u2f_keys
=== Configure desired PAM modules === Configure desired PAM modules
Next configure PAM to accept a YubiKey as a means of authentication. There are many options in /etc/pam.d to modify and add a YubiKey, but the most common use-cases are: Next configure PAM to accept a YubiKey as a means of authentication. There are many options in /etc/pam.d to modify and add a YubiKey, but the most common use-cases are:
@ -130,7 +179,7 @@ Next configure PAM to accept a YubiKey as a means of authentication. There are m
- /etc/pam.d/sudo - /etc/pam.d/sudo
- /etc/pam.d/sshd - /etc/pam.d/sshd
In a PAM configuration file if using yubikey-sufficient add an include line before or if using yubikey-required add it after a line that reads "auth substack system-auth" or "auth include system-auth". An include of yubikey-sufficient looks like this: In a PAM configuration file if using {yubikey,u2f}-sufficient add an include line before or if using {yubikey,u2f}-required add it after a line that reads "auth substack system-auth" or "auth include system-auth". An include of yubikey-sufficient looks like this:
[source] [source]
auth include yubikey-sufficient auth include yubikey-sufficient