Universal 2 Factor Authentication

Universal 2 Factor ( U2F ) is a standardized, and open specification for authentication tokens. Initially U2F was developed by google and Yubico, but has now been published by the FIDO Alliance.

U2F is easy to use for end users, and only requires pressing a button. U2F is also easy to deploy. By following this guide, you will be able to set up your own Multi-factor Authentication server to authenticate server logins and web applicaiton logins. Let’s get started.

Here’s what we’ll need:

  • A Linux Host ( this guide uses a Debian based Linux OS )
  • U2F comptabile physical authentication device

Here are some suggestions for a U2F comptabile device:

 

1 = Make sure your server is up to date.

$ sudo apt-get update
$ sudo apt-get upgrade

If you have upgraded your kernel version, please reboot the machine the apply the new kernel.

Install the following packages: pamu2fcfg, libpam-u2f

$ sudo apt-get install pamu2fcfg libpam-u2f

3 = The first step is to register your token. This command will register your token and associate it with your user account.

$ pamu2fcfg -u USERNAME > u2f_mappings

Next, move it into /etc/ and modify permissions to 600

$ mv u2f_mappings /etc/u2f_mappings
$ chmod 600 /etc/u2f_mappings

 

4 = Modifying PAM.d

We are going to use PAM Daemon, the plugin authentication module, to check with U2F before allowing use of the sudo command.

To turn on U2F authentication for the sudo command, add this line into your /etc/pam.d/sudo file.

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings debug cue

echo "auth sufficient pam_u2f.so authfile=/etc/u2f_mappings debug cue" >> /etc/pam.d/sudo

The use of “sufficient” means that you will be prompted for the token, and sign in, even if you fail to authenticate properly. If the token works correctly, you should be prompted to press the button on your device when using the sudo command.

If the command runs successfully with your token, replace the word sufficient with required on the line above, and remove the word debug. This will make your token a requirement to authenticate, and work without the massive verbosity.

 

For a technical overview of the U2F protocol and authentication mechanisms, take a look at the FIDO presentation here https://www.slideshare.net/FIDOAlliance/fido-u2f-specifications-overview-tutorial

 

 


Leave a Reply

Your email address will not be published. Required fields are marked *