Table of Contents

Going Passwordless with u2f and Linux

Microsoft was all about taking Windows passwordless, which got me thinking, “Hey I bet Linux could do that right now!” So I set off to make my Linux system Passwordless (mostly). And now I'm going to share the method I used to do so. Some disclaimers - if you mess up with some of these commands you will lock yourself out of your system. I use a method that should allow you to still enter a password if the u2f key fails, but be warned the final “Passwordless” system will rely solely on the u2f key and if you break or lose it you will lose access to your computer unless you do some recovery type things.


Background

To accomplish this we will be leveraging a technology called U2F (Universal 2nd Factor I believe.) This is a protocol developed by Yubico (a manufacturer of the Yubikey) and Google. It was designed to bring a strong public crypto key to the mass market. You can read more on it here: https://www.yubico.com/solutions/fido-u2f/

The general gist of how it works (from a users perspective) is you log into a service then where other methods would normally prompt you on your phone, or send you a text message you just simple press the button on a physical USB key plugged into your computer.


Prerequisites

I personally have completed this on Gnome3 and KDE, but I'm pretty sure this will work on any DE and distro combo, if it does not work on your specific set up, sorry but you should be able to google it.

You'll need the following

  1. a u2f key or two - any brand will do, personally have had luck with both solokeys and yubikeys
  2. a working linux machine
  3. pam-u2f installed in your machine, varies from distro to distro (for arch can use sudo pacman -S pam-u2f)
  4. careful attention to detail

Step 1: building your key mappings

You will need a place to keep your mappings, any old place will do, but I personally opted for /etc/u2f_mappings, since you'll need root access to modify the file. Open this file with your favorite txt editor using root

sudo nano /etc/u2f_mappings

Make sure the u2f key is inserted into the USB port of the computer and open another terminal. In this new terminal run the the following command, replacing $user with your username

pamu2fcfg -u $user

it will display your username:RandomStringsOfText

You will want to copy all the way back to your username, but ignore the % at the end if there is one. Paste that into your txt editor window and save the file, but don't close it yet (ctrl+O in nano). If you have another key plug it into the usb port now and run the same command again, but to add it to the existing all you need the the strings of random characters put a : at the end of the current line, then add the characters after. It will look something like:

pyro:RandomStringsIPastedFromTheFirstKey:RandomStringsIPastedFromTheSecond

Repeat for any number of keys you have.

then save the file


Step 2: Edit your PAM

Your pam (privileged access management) configuration files are located at

/etc/pam.d/

The one we are interested in (because it should change pretty much every kind of auth on the system) is system-auth. Go a head and edit this file.

sudo nano /etc/pam.d/system-auth

There should be an Auth section with a bunch of auth statements. To the top of the Auth section add the line

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Notice we are using sufficient instead of required. This is incase we messed something up, we will still be able to use our password for now.

Reboot if you haven't since you installed pam_u2f. When your machine comes back up try to log in using just the u2f dongle, it will ask you to press it or touch it.

If that didn't work make sure the u2f_mappings are 100% correct - remake it if you have to. Once it is all working you can go back into the /etc/pam.d/system-auth and change the sufficient to required, and delete the

auth required pam_unix.so try_first_pass nullok line.

Repeat the testing process to make sure logging into your system works and boom you've taken Linux passwordless Congratulations!! Note this method relies on libusb which can not be used remotely so you will not be able to do this with SSH. However I think Yubikey has a method to work with SSH, but I have not set that up yet, so I didn't feel comfortable adding it here.


HELP I've LOCKED MY SELF OUT

If on Arch you're in luck. Boot up and Arch install USB and mount your file system. Then edit your /etc/pam.d/system-auth file to be normal again. Other distros should be able to do something similar, but I haven't tried on those yet.