I got my U2F USB/FIDO2 (Linux integration)

5 min readApr 4, 2021

Surf the web has its own risk, the biggest one I consider is, be hacked or lose any personal account. But, How does it can occur?, It might happen by different ways, ie. at joning in a public network and suffer a session hijacking, cookies stealing or by a Man-in-the-Middle attack, or just simply someone who has stolen our session information and also have or know our password. Here, the second authentication factor help us.

Protect our account is possible using a 2nd authentication factor method just by setting up an application in our mobile or just by receiving SMS messages with a code for gain access. Among these authentication alternatives, they appears not to be as much secure at all due to SMS may be hacked by cloning SIM and if it depends on mobile, it need battery consume, and being realistic, nobody have always battery in our mobile, battery availability is something we always need and are looking for.

Fortunately, FIDO Alliance started with FIDO2 standard for contact and contactless devices for adding the universal second factor (U2F) that nowadays is being developed by many companies, one of them is Yubico.

Here is a picture of my Yubikey NFC that has arrived and I made its integration with Linux (Ubuntu distribution v18.04.1)

I will describe all snapshots that resume the necessary steps for you nails down the objective!.

First step is to enable the Yubico PPA on Ubuntu

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update

When prompted, press Enter to confirm adding the PPA and with apt-get install command install the following items (not mandatory but will help for future modifications)

sudo apt-get install yubikey-manager-qt
sudo apt-get install yubioath-desktop
sudo apt-get install yubikey-personalization-gui

Installing the Required Software

Open Terminal.
Run: sudo apt-get install libpam-u2f

sudo apt-get install libpam-u2f

Associating the U2F Key(s) With Your Account

Open Terminal.
Insert your U2F Key.
Run: mkdir ~/.config/Yubico

mkdir ~/.config/Yubico

If you receive an error that this folder exists, you can ignore it and proceed to the next step.

Run: pamu2fcfg > ~/.config/Yubico/u2f_keys

pamu2fcfg > ~/.config/Yubico/u2f_keys

When your device begins flashing, touch the metal contact to confirm the association.

Configuring the System to Use the U2F Keys

Test Configuration with the Sudo Command

This section covers how to require the YubiKey when using the sudo command, which should be used as a test so that you do not lock yourself out of your computer.

Open Terminal.

sudo nano /etc/pam.d/sudo

Add the line below after the “@include common-auth” line.

auth required pam_u2f.so

Press Ctrl+O and then Enter to save the file. Be sure you do not close the Terminal window, otherwise you will not be able to revert the changes.
Remove your device from the computer.

TESTING YOUR U2F-USB (Yubikey)

Open a new Terminal.

sudo echo test

When prompted, enter your password (Ubuntu admin password) and press Enter.
Even with the correct password, the authentication should fail as the U2F Key is not plugged in. If the authentication succeeds without the U2F Key, that indicates the U2F PAM module was not installed or there is a typo in the changes you made to /etc/pam.d/sudo.

Now, insert your device :)
Open a new Terminal and run sudo echo test again.
When prompted, enter your password and press Enter. Then, touch the metal contact on your U2F Key when it begins flashing.

Congrats! If the password was accepted will appear the text “test” and by this time you have configured the system correctly and can continue on to the next section for requiring the U2F Key to login.

Note: if you do not want to require the U2F Key to run the sudo command, remove the line you added to the /etc/pam.d/sudo file.