TREZOR/U2F Login into Your Linux Mint
Adapted with permission from Shane Antyr’s blog
TREZOR recently upgraded the firmware for their handy devices to include U2F functionality. This is great for securing online resources, but what about using your TREZOR and U2F to help secure Ubuntu/Mint workstations? Is it possible to add two factor authentication to things like MDM logins and sudo? (Looking for macOS Guide? It’s here!)
WARNING
Be aware that if you mess things up, or don’t have your TREZOR handy after you finish configuring U2F on your workstation you’ll be locked out. Caveat Emptor!
EDITOR’S WARNING
You are doing this at your own risk. There is no guarantee it will work, and we cannot ascertain that you will not make any mistakes. Errors in PAM configuration may break your computer. If you are not comfortable working with command line, you are not ready to do this! We are not liable for mistakes done by following this guide.
Installation
You’ll need your TREZOR to be running firmware 1.4 or greater. See: Second Factor Authentication with TREZOR for details. (If you do not have a TREZOR, any U2F dongle will do. Unlike a TREZOR, generic U2F devices do not have a display, but just a button. Press the button whenever prompted.)
Once your TREZOR is ready, you’ll need to add U2F authentication as an option on your Linux machine. To do so, install the needed U2F packages by running:
$ sudo apt-get install libpam-u2f pamu2fcfg
U2F_Mappings File
Next you’ll need to generate your U2F mappings file. Plug in your TREZOR (or any other U2F device) and run:
$ pamu2fcfg -u yourusername > /tmp/u2f_mappings
$ echo >> /tmp/u2f_mappings
$ pamu2fcfg -u root >> /tmp/u2f_mappings
You’ll need to confirm on your TREZOR at this point.
Now move the u2f_mappings file into /etc:
$ sudo mv /tmp/u2f_mappings /etc/u2f_mappings
Configuring Pam to Use U2F
The u2f_mappings file you’ve put into /etc will be used by the pam-u2f module. But now we need to set up PAM so that it would use this module, in order to add two factor authentication to your system. It is quite simple though; all that you need to do is to add a couple of config lines into the appropriate pam configuration files.
$ ls /etc/pam.d
Here’s some of the things you might want to add the U2F authentication module to:
- sudo
- login
- su
- mdm, lightdm or gdm
- cinnamon-screensaver
You can see the various things on your system which require authentication by looking in /etc/pam.d/ If you’re a hacker like me, you can try configuring U2F for other things using the information in this article. If you do, I suggest trying it out on a Virtual Machine first.
Examples
Time to fire up your favorite text editor!
sudo
First add two factor authentication to the sudo command.
Open up the sudo configuration file:
$ sudo emacs -nw /etc/pam.d/sudo
Add this at the end of the file:
# u2f authenticationauth required pam_u2f.so authfile=/etc/u2f_mappings cue
At this point, you can test your configuration by firing up another terminal window and running a sudo command. If you’ve done things correctly you’ll be asked for your password and then prompted to “Please touch the device.” Your TREZOR will also be prompting you to authorize the request. Congratulations, your system now requires your TREZOR to run sudo. Pretty neat, eh?
EDITOR’S NOTE
If you add the pam_u2f.so module as “sufficient” and write it in the lines before the other “auth required” modules, you will be able to authenticate using only the TREZOR/U2F device. If the “sufficient” authentication method passes, all subsequent auth modules are ignored. If at the authentication point no U2F device is detected, the system will automatically use the next auth module.
login
Next, let’s secure login. I don’t want anyone besides me getting onto my system using a virtual console. If you’re not aware of what this means check out: Virtual Console on Wikipedia.
$ sudo emacs -nw /etc/pam.d/login
Add this at the end of the file:
# u2f authenticationauth required pam_u2f.so authfile=/etc/u2f_mappings cue
Test this by bringing up a virtual console. Again, you’ll be prompted to authorize the request on your TREZOR after you’ve authenticated with your password.
su
By now, you should see what is being done here. Let’s lock down the su command now (What is su?).
$ sudo emacs -nw /etc/pam.d/su
Add this at the end of the file:
# u2f authenticationauth required pam_u2f.so authfile=/etc/u2f_mappings cue
You can test by running:
$ su yourusername
Conclusion
Be sure to add U2F authentication to your login and screen saver configuration files as well. I run GDM and Cinnamon, so I set up U2F for those. Again, see /etc/pam.d for the config files you’ll need to tweak. As mentioned in Mike Jonesey’s article, to really secure your install you should be running your disks fully encrypted, etc.
Happy Hacking!
Update TREZOR Developer Stick adds:
Cool thing about TREZOR is that you can recover the seed used to generate U2F secret, so even if you lose TREZOR you can still log in to your machine after recovery (as opposed when using other U2F tokens).
Editor’s Note
For more detail on setting up pam configuration files, such as sufficient and required flags, please check out the following resources:
- TREZOR/U2F Login into Your Mac OS X at TREZOR Security (PAM flags are the same across all Unix systems.)
- Understanding PAM at Linux.com
- Yubico-PAM at Development Yubico
- pam-u2f at Development Yubico
- Linux Desktop 2FA With PAM-U2F by Mike Jonesey
- Setting up a FIDO® U2F key for 2 Factor Authentication via PAM by Adrian Koshka
Original Article
Originally written by Shane Antyr on his personal blog. Available here
About Us
TREZOR is the first and most trusted hardware wallet, selling in more than 100 countries world-wide. It offers a variety of security applications using asymmetric encryption, such as SSH, GPG or U2F. At the same time it maintains an absolute ease-of-use, whether you are a security expert or a general user.
SatoshiLabs is the innovator behind some of the most pivotal and influential projects in Bitcoin worldwide: TREZOR, the bitcoin wallet; CoinMap.org, the Bitcoin map; or Slush Pool, the world’s first bitcoin mining pool.
Links
TREZOR Shop: BuyTrezor.com
Bitcoin TREZOR: bitcointrezor.com
User Manual: U2F
User Manual: Recovery