User Tools

Site Tools

gear:yubi

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
gear:yubi [2024/08/06 05:47] – external edit 127.0.0.1gear:yubi [2024/09/28 09:54] (current) – [Two-Factor Sudo] Humphrey Boa-Gart
Line 11: Line 11:
 ===== Advanced Magick ===== ===== Advanced Magick =====
  
-There are all sorts of [[https://www.yubico.com/support/download/|other official tools]] for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.+There are all sorts of [[https://www.yubico.com/support/download/|official tools]] for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.
  
 ==== Two-Factor Sudo ==== ==== Two-Factor Sudo ====
  
-In **Linux**, you can use Yubi authentication in place of password authentication on the ''sudo'' command (and others).+In **Linux**, you can use Yubi passwordless authentication on the ''sudo'' and ''su'' commands //(and others)//. You can also use it in 2FA mode, where you will be required to enter your password **and** touch your YubikeyInstructions for both are outlined below:
  
-  fill in later+== Install Dependencies == 
 + 
 +First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros. 
 + 
 +  $ sudo apt install libpam-u2f libpam-yubico pamu2fcfg 
 + 
 +== Setup == 
 + 
 +  - Plug-in Yubikey and run ''mkdir ~/.config/Yubico'' 
 +  - Type ''pamu2fcfg > ~/.config/Yubico/u2f_keys'' to add your Yubikey to the list of accepted Yubikeys 
 +    * //(optional)// Register additional keys with: ''pamu2fcfg -n >> ~/.config/Yubico/u2f_keys'' 
 +  - Open the PAM sudo config: ''sudo nano /etc/pam.d/sudo'' 
 +    * **For passwordless sudo:** Add ''auth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //before// ''@include common-auth'' 
 +    * **OR for 2FA sudo:** Add ''auth required pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //after// ''@include common-auth'' 
 +  - Save file **//and do not close nano!//** 
 +  - Confirm the changes work by running ''sudo echo SUCCESS'' in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again. 
 + 
 +You can make these same changes to other PAM configuration files while you are at it. Repeat **Step 3** on ''/etc/pam.d/su'' and ''/etc/pam.d/sudo-i'' to enable Yubikey authentication on those commands as well!
  
  
 {{tag>Gear Security}} {{tag>Gear Security}}
gear/yubi.1722923272.txt.gz · Last modified: by 127.0.0.1

Find this page online at: https://bestpoint.institute/gear/yubi