Nitrokey 3: Login

Previous posts:

Now, what about using the U2F capabilities of the Nitrokey 3 to add it has a second factor of authentication? So, to log in your computer, you will have to enter your username and password, have the key plugged-in and touch it.

The official Nitrokey documentation covers desktop login well enough.

Touch to sudo

Given that adding a security token as a 2FA may lock me out of my computer, I wanted to try it first on the sudo command. How is it related to desktop login? Both use PAM for authentication and the Nitrokey will be configured in PAM.

Usually sudo asks for the user password then will not ask for it again for 20 minutes or so. What I want is to have to touch the Nitrokey instead, and have to touch it each time sudo is called.

PAM requires an extra plugin implementing U2F, install it with sudo apt install libpam-u2f.

The following command creates a file with PAM configuration for the current user (you will have to touch the key):

pamu2fcfg | sudo tee -a /etc/u2f-keys

If you want to configure multiple keys, then run this command, it will happen the new key information to the previous one:

pamu2fcfg -n | sudo tee -a /etc/u2f-keys

The generated file should contain one line per user formatted that way: the username, then a colon and the key information for each key (username:key-information-1:key-information-2). Use pamu2fcfg -u username to specify another user account if needed. Or just edit the file manually.

Before continuing, make sure to have a root terminal opened in case things go awry. And now to configure PAM for sudo, add the following line at the beginning of /etc/pam.d/sudo:

auth sufficient pam_u2f.so authfile=/etc/u2f-keys cue nouserok

Where:

From what I understand, PAM will try all the configured authentication rules in the order they are specified. If they are marked as:

So in the sudo case, having that rules first means that if the Nitrokey is not plugged-in, it will ask for the user’s password. If the Nitrokey is plugged-in and touched, the authentication succeeds and no password is asked.

In a new terminal, typing sudo ls with the key unplugged should ask for the password as usual. Doing it again with the key plugged-in should ask to touch the key and execute the command when touched. But doing it again will execute the command directly.

So now we need to get rid of the authentication cache:

$ echo "Defaults:your-username timestamp_timeout=0" | sudo tee /etc/sudoers.d/99-your-username

Now sudo will ask for authentication each time it’s called.

Desktop login

Still, in order to be safe, it’s better to create a backup admin account beforehand. Worst case scenario, you will have to boot on a live CD (make sure you have one), mount your hard drive (don’t forget the encryption key) and change the config.

This time, edit /etc/pam.d/common-auth and add the same content at the end:

# U2F keys
auth sufficient pam_u2f.so authfile=/etc/u2f-keys cue prompt nouserok

Log out then log in again, it will ask to touch the key after the password. Once happy with the configuration, replace sufficient with required to make U2F mandatory for users with a configured key.

Next steps:

Comments Add one by sending me an email.