# Yubikey Two Factor Authentication on Arch Linux ### Goals: * Lock the computer and kill any active terminal sessions when the Yubikey is removed * Require Yubikey to be pressed when using `sudo`, `su`. * Require the Yubikey for initial system login, and screen unlocking. * Use it to authenticate 1Password. By 2FA I mean I want to have my Yubikey inserted into the computer, have to press it, and have to enter my user password to use these features. ### Autolock on Removal I followed [this guide](http://allthesystems.com/2020/09/use-yubikey-to-lock-screen-and-close-terminal-sessions-when-removed/) to accomplish the auto-lock when the key is removed. Summary: * Insert yubikey * `sudo udevadm monitor --environment --udev` * Remove yubikey * We are looking for `ID_MODEL=` * `sudo nano /etc/udev/rules.d/20-yubikey.rules` * `sudo udevadm control --reload-rules && sudo udevadm trigger` * paste in ```plaintext ACTION=="remove", ENV{ID_MODEL}=="YubiKey_OTP+FIDO+CCID", RUN+="/home/nathan/.config/lockscreen.sh" ``` * `nano ~/.config/lockscreen.sh` * paste in: ```plaintext #!/usr/bin/sh # this script is only suitable for a single-use machine as the following will lock and kill all nonroot sessions # if unable to unlock your screensaver screen lock, check the permissions of your U2F key mappings. Your screen lock # will run under your current user permission user=`ps aux | grep -v root | grep session | head -n 1 | awk '{print $1}'` sessionids=`loginctl list-sessions | grep ${user} | awk '{print $1}'` for sessionid in $sessionids do loginctl lock-session $sessionid echo "U2F locked sessionid $sessionid ($user)" | systemd-cat -p info -t udev done # close any other tty sessions ttys=`who | grep tty | grep -v \(:0\) | awk '{print $2}'` for tty in $ttys do pkill --signal HUP -t $tty echo "U2F killed $tty ($user)" | systemd-cat -p info -t udev done kill $(ps aux | grep 'konsole' | awk '{print $2}') ``` * `sudo chmod 700 ~/.config/lockscreen.sh` * `cp ~/.config/lockscreen.sh ~/.config/lockscreen.sh.bak` * `nano ~/.config/removeYubilock.sh` * paste in ```plaintext #!/bin/bash rm ~/.config/lockscreen.sh echo "Remove the YubiKey and press any key to continue" while [ true ] ; do read -t 3 -n 1 if [ $? = 0 ] ; then cp ~/.config/lockscreen.sh.bak ~/.config/lockscreen.sh echo "Lockscreen file replaced" exit ; else echo "waiting for the keypress" fi done ``` * `sudo chmod 700 ~/.config/removeYubilock.sh` ### Warning! **MAKE A BACKUP OF YOUR PAM.D CONFIGS NOW.** `sudo cp -R /etc/pam.d ~/pam.d.b` Even better, put them on a flash drive with 777 perms. Should you fail to do so, you could make your system completely locked up. Don't blame me if your whole system is unlockable. Follow [this guide](https://gravityfargo.hashnode.dev/reset-pamd-modules) to reset the stock pam configs. If your root partition is encrypted, you might be SOL. I don't know I haven't tried, but think I saw something about it in my googling. ### Adding a key to your user This guide is a reference, for me, and I only have one set of keys, for my user. No one else uses my rig. This guide reflects that need. Follow the official [ArchWiki](https://wiki.archlinux.org/title/Universal_2nd_Factor#Adding_a_key) Only do the "Adding a Key" section. To summarize: * `sudo pacman -S pam-u2f` * `mkdir ~/.config/Yubico` * `pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys` ### Add entries to the pam.d files Move into the pam.d directory `cd /etc/pam.d` Use `sudo nano` to edit the following files. For each of these, add this line to the top of the file `auth required pam_u2f.so cue [cue_prompt=Yubikey required for authentication.]` * to "login" for normal shell logins. * to "polkit-1" for system prompts. * to "sudo" for sudo.. * to "su" for su... For each of these, add them under the auth include system-login" lines. * to "kde" for first plasma login. * to "sddm" for plasma unlocks. **Reboot** ### Notes for use: * Startup will hang if you start the system with the key installed. * When authenticating, you have to press the Yubikey first (it flashes), then enter your password * if your home partition is encrypted, you won't be able to login on reboots. * I haven't figured out how to make gnome-keyring respect the logins yet. Definitely a pam issue, but I'll update this guide when I figure it out. #### As stated in the ArchWiki, "This method will not work with encrypted home partitions because the decryption is not done before the login process is completed, so the u2f\_keys file is unavailable. In this case, use a central mapping file as explained in the [official documentation of pam-u2f.](https://developers.yubico.com/pam-u2f/)"