The basics of adding a Yubikey to be used to authorise
sudo commands on a Debian Linux machine.
First install the required
sudo apt install libpam-u2f
Create the configuration folder for the U2F keys config file:
Register your Yubikey into the configuration file in the directory you created:
pamu2fcfg > ~/.config/Yubikey/u2f_keys
You will be prompted for your keys pin (if set, it should be!) and required to touch the key as normal to register it.
To register additional keys use the following command:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Now you need to add a line to the
/etc/pam.d/sudofile to enable the key.
Add the line
auth sufficient pam_u2f.so after the
session entries and before the line
@include common-auth, then save but do not close the file.
If you want to make it 2FA instead of just authorisation the line would be
auth required pam_u2f.so.
Open a new terminal window to test the configuration is working:
sudo echo SUCCESS
If that works as expected, waiting on the touch of the Yubikey you are now OK to close the
/etc/pam.d/sudo file, if not check for typos or revert before debugging.
These are instructions simplified for the one purpose I was after from the Yubico guide, which goes into more details and use cases.. https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F