In the realm of cybersecurity, the imperative to fortify our digital defenses against evolving threats is undeniable. Traditional password-based authentication methods, susceptible to various forms of exploitation, necessitate augmentation with more robust mechanisms.
YubiKey, a hardware token developed by Yubico, emerges as a potent solution. Its integration into the login process introduces multifactor authentication, mandating both password input and physical possession of the YubiKey for access. Additionally, leveraging YubiKey’s capabilities enables the implementation of automatic system locking upon YubiKey removal, thereby enhancing protection against unauthorized access.
In this technical guide, we’ll delve into the step-by-step process of harnessing YubiKey’s security features within Debian 12 / Ubuntu 22.04, particularly focusing on systems running the GNOME desktop environment.
The first step in this guide is to install the libpam-u2f package that will be used to detect and manage our keys:
$ sudo apt-get install libpam-u2f
Once installed, you may plug in your yubikey, and enter this command. Once you have pressed enter, you must press the flashing light on your yubikey, and a long string will appear on the screen.
For first key use command
$ pamu2fcfg | sudo tee /etc/u2f_keys
To add second or more keys use command
$ pamu2fcfg -n | sudo tee -a /etc/u2f_keys
We can now start implementing the login verification, which is very simple to do. Simply add this line to the end of the /etc/pam.d/common-auth file
auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue
You can now try testing it out, simply lock your system, then try logging in without your Yubikey. You should only be able to login once the Yubikey has been inserted, the password inputted and the Yubikey pressed.
Implementing the automatic logout is also pretty simply, with only a few steps to follow:
Start with your Yubikey plugged in, execute this command, then remove your key:
$ sudo udevadm monitor --kernel --property --subsystem-match=usb | grep PRODUCT
The aim of this command is to find the Product Id of your key. The output should look something like this, however the values may change depending on the model of your Yubikey:
PRODUCT=1050/120/502
Once you have found your key id, we can create a new udev rule in a file called /etc/udev/rules.d/99-u2f_lock_screen.rules.
Write this in your file, replacing the product id with your own:
ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/120/502", RUN+="/usr/local/bin/gnome_lock_all_sessions"
The next step is to create the /usr/local/bin/gnome_lock_all_sessions file, which will be run by the udev rule when our key is unplugged. You can simply copy the code here into your own file:
#!/bin/sh
for bus in /run/user/*/bus; do
uid=$(basename $(dirname $bus))
if [ $uid -ge 1000 ]; then
user=$(id -un $uid)
export DBUS_SESSION_BUS_ADDRESS=unix:path=$bus
if su -c 'dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames' $user | grep org.gnome.ScreenSaver; then
su -c 'dbus-send --session --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock' $user
fi
fi
done
The last step is to mark our file as executable:
$ sudo chmod +x /usr/local/bin/gnome_lock_all_sessions
And then reload our udev rules:
$ udevadm control -R
If all is well, when you unplug your Yubikey, your system should lock.