Passwordless sudo using a YubiKey

Introduction

YubiKeys are excellent multi-factor authentication (MFA) devices that can enhance your online security while simplifying your daily workflows on Linux.

In this article, we’ll walk through the process of configuring a YubiKey for secure authentication, including setting up passwordless sudo or enabling two-factor authentication (2FA) for elevated privileges.

Setup

Prerequisites

First, ensure you have the libpam-u2f package (or its equivalent for your Linux distribution) installed. On Debian-based systems, use the following command:

sudo apt-get install libpam-u2f

U2F (Universal 2nd Factor) is an open standard for hardware MFA keys, and integration with Linux is made possible through Yubico’s pam-u2f module.

Adding Your YubiKey

To link your YubiKey with your system, follow these steps:

1. Connect your YubiKey: Insert the device into your computer.

2. Create the configuration directory: If it doesn’t already exist, create the directory ~/.config/Yubico:

   mkdir -p ~/.config/Yubico
   

1. Register your YubiKey: Add the key to the list of accepted devices by running:

   pamu2fcfg > ~/.config/Yubico/u2f_keys
   

If you’ve set a PIN for your YubiKey, you may be prompted to enter it.

1. Add additional keys (optional): If you have other YubiKeys, you can add them as follows:

   pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
   

Ensure there are no extra newlines between entries in the ~/.config/Yubico/u2f_keys file.

Configuring sudo

After setting up your key(s), you can configure sudo to use them for authentication.

Enabling Passwordless sudo

To make sudo passwordless:

1. Edit your /etc/sudoers file: Add a line like this:

   %wheel      ALL = (ALL) NOPASSWD: ALL
   

Ensure your user is part of the wheel group.

1. Modify /etc/pam.d/sudo: Add the following line before @include common-auth:

   auth        sufficient      pam_u2f.so
   

This configuration makes YubiKey authentication sufficient for sudo, bypassing the need for a password.

Enabling 2FA for sudo

To enable 2FA, where both your password and YubiKey are required:

1. Edit /etc/pam.d/sudo: Add the following line after @include common-auth:

   auth        required        pam_u2f.so
   

This ensures the usual password authentication is followed by YubiKey verification.

Troubleshooting

Before closing the terminal window where you’re editing /etc/pam.d/sudo, always confirm that your changes work as expected.

Enable Debugging

If something isn’t working, add debug to the auth line in /etc/pam.d/sudo to enable detailed logging during authentication:

auth        sufficient      pam_u2f.so debug

The additional logs can help identify configuration issues.

Conclusion

Adding a YubiKey to your Linux authentication setup enhances security and can simplify your workflow by reducing the need to frequently enter passwords. Whether you choose passwordless authentication or 2FA, YubiKeys are a valuable tool for improving your overall security posture.