Passwordless auth with Yubico 5 NFC on Ubuntu

Resources

Using U2F for passwordless sudo

Prerequisites

sudo apt-get install libpam-u2f
you'll need to setup your yubikey with the yubikey manager prior to doing this tutorial.

Setup

1. Plug-in yubikey and type: mkdir ~/.config/Yubico
   • ignore if the folder already exists
2. type pamu2fcfg > ~/.config/Yubico/u2f_keys to add your yubikey to the list of accepted yubikeys
   • enter your PIN if one if set for the key, then touch the key when the key's light blinks.

3. (optional) Register additional keys with the command: pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

4. type sudo nano /etc/pam.d/sudo (or sudo nvim /etc/pam.d/sudo to use neovim as the text editor) to edit the PAM config for sign-on
   Then type auth sufficient pam_u2f.so before
   @include common-auth

To make this 2FA instead of passwordless authentication with Yubikey

• instead of the final step, adjust the file /etc/pam.d/sudo to include:

@include common-auth
auth       required   pam_u2f.so

Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below)

Always confirm success BEFORE closing the edit window in terminal of the pam_u2f.so file

You can test the deployment is successful by opening a new terminal tab or window then running sudo echo SUCCESS

• If you enabled sign-in with yubikey only, then you will see your yubikey flashing for touch input
• If you enabled 2FA with your key, then you will be prompted to enter your password, then the yubikey will flash for touch input.

Once the behaviour works as expected, you may close the terminal windows