Nitrokey 3: Login

Previous posts:

Now, what about using the U2F capabilities of the Nitrokey 3 to add it has a second factor of authentication? So, to log in your computer, you will have to enter your username and password, have the key plugged-in and touch it.

The official Nitrokey documentation covers desktop login well enough.

Touch to sudo

Given that adding a security token as a 2FA may lock me out of my computer, I wanted to try it first on the sudo command. How is it related to desktop login? Both use PAM for authentication and the Nitrokey will be configured in PAM.

Usually sudo asks for the user password then will not ask for it again for 20 minutes or so. What I want is to have to touch the Nitrokey instead, and have to touch it each time sudo is called.

PAM requires an extra plugin implementing U2F, install it with sudo apt install libpam-u2f.

The following command creates a file with PAM configuration for the current user (you will have to touch the key):

pamu2fcfg | sudo tee -a /etc/u2f-keys

If you want to configure multiple keys, then run this command, it will happen the new key information to the previous one:

pamu2fcfg -n | sudo tee -a /etc/u2f-keys

The generated file should contain one line per user formatted that way: the username, then a colon and the key information for each key (username:key-information-1:key-information-2). Use pamu2fcfg -u username to specify another user account if needed. Or just edit the file manually.

Before continuing, make sure to have a root terminal opened in case things go awry. And now to configure PAM for sudo, add the following line at the beginning of /etc/pam.d/sudo:

auth sufficient pam_u2f.so authfile=/etc/u2f-keys cue nouserok

Where:

  • cue will display a message telling that you need to touch the key (in case you didn’t see that the key is blinking)
  • nouserok if you have multiple users on the computer, users without a key can still authenticate normally

From what I understand, PAM will try all the configured authentication rules in the order they are specified. If they are marked as:

  • required: failure of one of them will fail the authentication but PAM will still evaluate all the rules. I guess this is to not provide information on what went wrong (username is wrong or password is wrong…). Also, from what I understand some rules are not for authentication, it can be logging the authentication attempt, so all rules need to be evaluated.
  • requisite: failure of one of them will fail the authentication immediately, PAM will not evaluate the remaining rules. I guess this is for some specific cases.
  • sufficient: if a previous rule has failed, this one is ignored. If this rule fails, it’s ignored. If it succeeds, the authentication succeeds immediately, PAM will not evaluate the remaining rules.

So in the sudo case, having that rules first means that if the Nitrokey is not plugged-in, it will ask for the user’s password. If the Nitrokey is plugged-in and touched, the authentication succeeds and no password is asked.

In a new terminal, typing sudo ls with the key unplugged should ask for the password as usual. Doing it again with the key plugged-in should ask to touch the key and execute the command when touched. But doing it again will execute the command directly.

So now we need to get rid of the authentication cache:

$ echo "Defaults:your-username timestamp_timeout=0" | sudo tee /etc/sudoers.d/99-your-username

Now sudo will ask for authentication each time it’s called.

Desktop login

Still, in order to be safe, it’s better to create a backup admin account beforehand. Worst case scenario, you will have to boot on a live CD (make sure you have one), mount your hard drive (don’t forget the encryption key) and change the config.

This time, edit /etc/pam.d/common-auth and add the same content at the end:

# U2F keys
auth sufficient pam_u2f.so authfile=/etc/u2f-keys cue prompt nouserok

Log out then log in again, it will ask to touch the key after the password. Once happy with the configuration, replace sufficient with required to make U2F mandatory for users with a configured key.

Next steps:

Comments Add one by sending me an email.