We currently live in a world where passwords alone are no longer considered secure for many organizations, projects and critical online services. Instead, we now rely on various Two Factor Authentication (2FA) methods to help prevent bad-actors from using an illegitimately obtained, guessed or bypassed password. They can also be used to generate private keys that live on the device, away from prying eyes.<\/p>\n\n\n\n
In this guide you will learn how to setup your hardware key, use it to generate SSH keys and how to use it as an optional login method for your desktop.<\/p>\n\n\n\n
Choosing a device<\/em><\/p>\n\n\n\n Any FIDO2 compatible hardware key will work. You can use one with just a button, one with biometrics or one that isn’t interactive at all. For this guide, I will be using the Thetis USB A with a button and NFC. So far, Thetis has been a quality device and costs a fraction of what a Yubi key costs. I picked mine up for $24 USD.<\/p>\n\n\n\n Installing Packages<\/em><\/p>\n\n\n\n Now that we have our device in hand, we will need to download the Universal 2 Factor module for PAM.<\/p>\n\n\n\n If you are also using a Thetis key, you will need the following udev rule. It is not needed for other keys, but your key might need the same or similar. You will need to research it to find out. Enter the following command and reboot.<\/p>\n\n\n\n Step 3<\/p>\n\n\n\n Registering the key<\/em><\/p>\n\n\n\n It is very important to follow this step AS THE USER THAT WILL AUTHENTICATE WITH THIS KEY<\/p>\n\n\n\n Plug your device in and run the following commands to generate and move the key configuration. Make sure to do this in two steps to preserve ownership of the keys.<\/p>\n\n\n\n Step 4<\/p>\n\n\n\n Configuring sudo access<\/em><\/p>\n\n\n\n Now, in order to use our key for sudo access, we will need to edit the PAM sudo config. This will allow us to use our key in place of our password, but also retain the ability to use our password if the key is missing or broken.<\/p>\n\n\n\n Add the following line to \/etc\/pam.d\/sudo<\/strong>, just above @include common-auth<\/strong><\/p>\n\n\n\n Finalize Setup<\/em><\/p>\n\n\n\n Finally, if we want to be able to use this to login, then we will need to edit the login config.<\/p>\n\n\n\n Add the following line to \/etc\/pam.d\/gdm-password<\/strong>, again just above @include common-auth<\/strong><\/p>\n\n\n\nStep 2<\/h1>\n\n\n\n
Ubuntu<\/h2>\n\n\n\n
apt install libpam-u2f<\/code><\/pre>\n\n\n\nArch<\/h2>\n\n\n\n
pacman -S pam-u2f<\/code><\/pre>\n\n\n\necho 'KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", MODE=\"0664\", GROUP=\"plugdev\"' | sudo tee \/etc\/udev\/rules.d\/thetisu2f.rules<\/code><\/pre>\n\n\n\npamu2fcfg > \/tmp\/u2f_keys\nsudo mv \/tmp\/u2f_keys \/etc\/u2f_keys<\/code><\/pre>\n\n\n\nauth sufficient pam_u2f.so cue authfile=\/etc\/u2f_keys<\/code><\/pre>\n\n\n\nStep 5<\/h1>\n\n\n\n
auth sufficient pam_u2f.so cue authfile=\/etc\/u2f_keys<\/code><\/pre>\n\n\n\n