Universal 2 Factor Authentication
Universal 2 Factor ( U2F ) is a standardized, and open specification for authentication tokens. Initially U2F was developed by google and Yubico, but has now been published by the FIDO Alliance.
U2F is easy to use for end users, and only requires pressing a button. U2F is also easy to deploy. By following this guide, you will be able to set up your own Multi-factor Authentication server to authenticate server logins and web applicaiton logins. Let’s get started.
Here’s what we’ll need:
- A Linux Host ( this guide uses a Debian based Linux OS )
- U2F comptabile physical authentication device
Here are some suggestions for a U2F comptabile device:
- Fidesmo card. If you choose a Fidesmo device you’ll also have to buy the Ledger FIDO U2F app and install it onto your card.
- Yubikey
1 = Make sure your server is up to date.
$ sudo apt-get update $ sudo apt-get upgrade
If you have upgraded your kernel version, please reboot the machine the apply the new kernel.
Install the following packages: pamu2fcfg
, libpam-u2f
$ sudo apt-get install pamu2fcfg libpam-u2f
3 = The first step is to register your token. This command will register your token and associate it with your user account.
$ pamu2fcfg -u USERNAME > u2f_mappings
Next, move it into /etc/ and modify permissions to 600
$ mv u2f_mappings /etc/u2f_mappings $ chmod 600 /etc/u2f_mappings
4 = Modifying PAM.d
We are going to use PAM Daemon, the plugin authentication module, to check with U2F before allowing use of the sudo command.
To turn on U2F authentication for the sudo command, add this line into your /etc/pam.d/sudo file.
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings debug cue
echo "auth sufficient pam_u2f.so authfile=/etc/u2f_mappings debug cue" >> /etc/pam.d/sudo
The use of “sufficient” means that you will be prompted for the token, and sign in, even if you fail to authenticate properly. If the token works correctly, you should be prompted to press the button on your device when using the sudo command.
If the command runs successfully with your token, replace the word sufficient with required on the line above, and remove the word debug. This will make your token a requirement to authenticate, and work without the massive verbosity.
For a technical overview of the U2F protocol and authentication mechanisms, take a look at the FIDO presentation here https://www.slideshare.net/FIDOAlliance/fido-u2f-specifications-overview-tutorial