pam-u2f

16 Feb 2021 2 min read

With a FIDO2 stick like the Solo V2 it is possible under Linux to log in by just entering a PIN and tapping the FIDO2 stick. This new type of secure and user-friendly login is made possible by the Pluggable Authentication Module (PAM) for the Universal Second Factor (U2F) for short pam-u2f since version 1.1.0.

1.webp 2.webp 3.webp 4.webp 5.webp solo_v2.webp solo_v2_1.webp

The official Fedora pam-u2f package has unfortunately not been updated for a long time and is still on version 1.0.8. Therefore I am providing a current version of the package here.

The repository must first be added for installation. The package can then be installed and used from the new repository.

1
2

sudo dnf copr enable drrdietrich/pam-u2f
sudo dnf --refresh install pamu2fcfg

The keys can be registered with pamu2fcfg.

3

pamu2fcfg >> /etc/u2f_mappings

The configurations can then be adjusted e.g. in /etc/pam.d/gdm-password and /etc/pam.d/sudo.

4

sudo vim /etc/pam.d/gdm-password
1
2
3
4
5
6
7
8
9

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1
auth  optional  pam_exec.so expose_authtok /etc/pam_scripts/pam.sh
auth  substack  password-auth
auth  optional  pam_gnome_keyring.so
auth  include   postlogin

account     required      pam_nologin.so
[...]

5

sudo vim /etc/pam.d/sudo
1
2
3
4
5
6
7
8

#%PAM-1.0
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1
auth      include   system-auth
account   include   system-auth
password  include   system-auth
session   optional  pam_keyinit.so revoke
session   required  pam_limits.so
session   include   system-auth

Demo

Next