Skip to content

Instantly share code, notes, and snippets.

@midwire

midwire/optional-yubikey-sudo.md

Last active June 15, 2021 05:12
Show Gist options
  • Save midwire/808e1ecd57f5562eb5a3aa00ee3b1b59 to your computer and use it in GitHub Desktop.
Save midwire/808e1ecd57f5562eb5a3aa00ee3b1b59 to your computer and use it in GitHub Desktop.
Download ZIP
[Optional Yubikey Auth For Sudo] #yubikey #auth #linux
Raw
optional-yubikey-sudo.md

https://askubuntu.com/questions/1167691/passwordless-login-with-yubikey-5-nfc

Here is my approach:

To enable a passwordless sudo with the yubikey do the following:

sudo apt-get install libpam-u2f
# Open terminal
# Insert yubikey
pamu2fcfg | sudo tee /etc/u2f_mappings
# Press yubikey button

For All (common) Auth

sudo vi /etc/pam.d/common-auth
# Insert the following line before any other commands in that file:
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

For Sudo Only

Configure sudo only to use the key when available (password otherwise) by editing the following file

sudo vi /etc/pam.d/sudo

Add the auth line before the @include

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
@include common-auth

To use the yubikey as a second factor additionally to your password edit /etc/pam.d/sudo in the following way

@include common-auth
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Where the auth line is after the @include

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment