User Tools

Site Tools

gear:yubi

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
gear:yubi [2024/09/28 09:29] Humphrey Boa-Gartgear:yubi [2024/09/28 09:54] (current) – [Two-Factor Sudo] Humphrey Boa-Gart
Line 11: Line 11:
 ===== Advanced Magick ===== ===== Advanced Magick =====
  
-There are all sorts of [[https://www.yubico.com/support/download/|other official tools]] for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.+There are all sorts of [[https://www.yubico.com/support/download/|official tools]] for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.
  
 ==== Two-Factor Sudo ==== ==== Two-Factor Sudo ====
Line 21: Line 21:
 First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros. First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros.
  
-  $ apt install libpam-u2f libpam-yubico+  $ sudo apt install libpam-u2f libpam-yubico pamu2fcfg
  
 == Setup == == Setup ==
  
-  - Plug-in yubikey and type ''mkdir ~/.config/Yubico''+  - Plug-in Yubikey and run ''mkdir ~/.config/Yubico''
   - Type ''pamu2fcfg > ~/.config/Yubico/u2f_keys'' to add your Yubikey to the list of accepted Yubikeys   - Type ''pamu2fcfg > ~/.config/Yubico/u2f_keys'' to add your Yubikey to the list of accepted Yubikeys
-  - Open the PAM sudo config in a text-editor ''nano /etc/pam.d/sudo'' +    * //(optional)// Register additional keys with: ''pamu2fcfg -n >> ~/.config/Yubico/u2f_keys'' 
-    * **For passwordless sudo:** Add ''auth sufficient pam_u2f.so'' //before// ''@include common-auth'' +  - Open the PAM sudo config''sudo nano /etc/pam.d/sudo'' 
-    * **OR for 2FA sudo:** Add ''auth required pam_u2f.so'' //after// ''@include common-auth''+    * **For passwordless sudo:** Add ''auth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //before// ''@include common-auth'' 
 +    * **OR for 2FA sudo:** Add ''auth required pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //after// ''@include common-auth''
   - Save file **//and do not close nano!//**   - Save file **//and do not close nano!//**
   - Confirm the changes work by running ''sudo echo SUCCESS'' in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.   - Confirm the changes work by running ''sudo echo SUCCESS'' in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.
  
-You can make these same changes to other configuration files in ''/etc/pam.d'' such as ''su'' and ''sudo-i'' - Give it a shot!+You can make these same changes to other PAM configuration files while you are at it. Repeat **Step 3** on ''/etc/pam.d/su'' and ''/etc/pam.d/sudo-i'' to enable Yubikey authentication on those commands as well! 
  
 {{tag>Gear Security}} {{tag>Gear Security}}
gear/yubi.1727515765.txt.gz · Last modified: by Humphrey Boa-Gart

Find this page online at: https://bestpoint.institute/gear/yubi