Secure Your Fedora System with Smart Card U2F Authentication
In today's digital world, securing our systems is more important than ever. One effective way to enhance your system's security is by using a YubiKey for U2F (Universal 2nd Factor) authentication. This guide will walk you through setting up smart card U2F authentication on a Fedora system. It's easier than you might think!
Step 1: Install the U2F Packages
First, you'll need to install the necessary U2F packages. Open your terminal and run the following command:
sudo dnf install pam-u2f pamu2fcfg
Note: If your system can't find the YubiKey as a U2F device, you may need to download an additional udev rule. You can do this by running:
sudo wget https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules -O /etc/udev/rules.d/70-u2f.rules
Step 2: Create PAM Configuration Files
Next, you'll create two PAM configuration files: u2f-required
and u2f-sufficient
. These files will help manage the authentication process.
Create the u2f-required
file:
sudo nano /etc/pam.d/u2f-required
Add the following content:
#%PAM-1.0
auth required pam_u2f.so
Now, create the u2f-sufficient
file:
sudo nano /etc/pam.d/u2f-sufficient
Add the following content:
#%PAM-1.0
auth sufficient pam_u2f.so
Note: If you've moved the u2f_keys
file to /etc/Yubico/u2f_keys
as mentioned in the next steps, you'll need to append authfile
and the path to the PAM configuration, like so:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
Step 3: Configure User Authentication
To retrieve a configuration line for your YubiKey, use the pamu2fcfg
tool. This line will go into your ~/.config/Yubico/u2f_keys
file. Run the following commands:
bash
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
If you have a backup key, add it using the --nouser
option and append it to the existing key (line):
bash
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Step 4: Integrate YubiKey Authentication with PAM
There are several PAM configuration files where you can integrate YubiKey authentication. Some common use cases include:
- /etc/pam.d/login
- /etc/pam.d/gdm-password
- /etc/pam.d/lightdm
- /etc/pam.d/sudo
- /etc/pam.d/sudo-i
- /etc/pam.d/sshd (non-u2f using `pam-yubico`)
- /etc/pam.d/runuser
- /etc/pam.d/runuser-l
- /etc/pam.d/su
- /etc/pam.d/su-l
Update the necessary files in /etc/pam.d
to add YubiKey authentication:
auth include system-auth
auth include u2f-required
or
auth include u2f-sufficient
auth include system-auth
Give these steps a try, and feel free to ask if you encounter any issues along the way! 😃