2 min read

Secure Your Fedora System with Smart Card U2F Authentication

In today's digital world, securing our systems is more important than ever. One effective way to enhance your system's security is by using a YubiKey for U2F (Universal 2nd Factor) authentication. This guide will walk you through setting up smart card U2F authentication on a Fedora system. It's easier than you might think!

Step 1: Install the U2F Packages

First, you'll need to install the necessary U2F packages. Open your terminal and run the following command:

sudo dnf install pam-u2f pamu2fcfg

Note: If your system can't find the YubiKey as a U2F device, you may need to download an additional udev rule. You can do this by running:

sudo wget https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules -O /etc/udev/rules.d/70-u2f.rules

Step 2: Create PAM Configuration Files

Next, you'll create two PAM configuration files: u2f-required and u2f-sufficient. These files will help manage the authentication process.

Create the u2f-required file:

sudo nano /etc/pam.d/u2f-required

Add the following content:

#%PAM-1.0
auth required pam_u2f.so

Now, create the u2f-sufficient file:

sudo nano /etc/pam.d/u2f-sufficient

Add the following content:

#%PAM-1.0
auth sufficient pam_u2f.so

Note: If you've moved the u2f_keys file to /etc/Yubico/u2f_keys as mentioned in the next steps, you'll need to append authfile and the path to the PAM configuration, like so:

auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys

Step 3: Configure User Authentication

To retrieve a configuration line for your YubiKey, use the pamu2fcfg tool. This line will go into your ~/.config/Yubico/u2f_keys file. Run the following commands:

bash

mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

If you have a backup key, add it using the --nouser option and append it to the existing key (line):

bash

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Step 4: Integrate YubiKey Authentication with PAM

There are several PAM configuration files where you can integrate YubiKey authentication. Some common use cases include:

  • /etc/pam.d/login
  • /etc/pam.d/gdm-password
  • /etc/pam.d/lightdm
  • /etc/pam.d/sudo
  • /etc/pam.d/sudo-i
  • /etc/pam.d/sshd (non-u2f using `pam-yubico`)
  • /etc/pam.d/runuser
  • /etc/pam.d/runuser-l
  • /etc/pam.d/su
  • /etc/pam.d/su-l

Update the necessary files in /etc/pam.d to add YubiKey authentication:

auth include system-auth
auth include u2f-required

or

auth include u2f-sufficient
auth include system-auth

Give these steps a try, and feel free to ask if you encounter any issues along the way! 😃