How to Securely Login on Linux Using ATKey and PAM

ATKey.Pro
Written By Davide Demarchi

Hardware-based authentication is the gold standard for protecting your digital life, and for Linux users, the ATKey.Pro is a game-changer. In this guide, we’re going to walk through how to enroll your ATKey.Pro on a Linux machine by leveraging the power of the libpam-u2f library.

At the end of the article you will find a video tutorial illustrating the whole process.

What is ATKey.Pro?

Think of the ATKey.Pro as a physical fortress for your digital identity. The ATKey.Pro is a FIDO2-certified security key that features a built-in fingerprint sensor. Unlike standard security keys that just require a touch, the ATKey.Pro uses biometrics to ensure that the person holding the key is actually you. It’s compact and replaces the need for "something you know" (a password) with "something you are" (your fingerprint).

What is PAM?

To get your ATKey.Pro working with your Linux operating system, we have to talk to the "gatekeeper": PAM, or Pluggable Authentication Modules. PAM is an underlying framework that handles all authentication tasks on your system, from logging into the console to verifying your identity for administrative tasks. The libpam-u2f library is specifically handling authentication through the Universal 2nd Factor (U2F) open standard and allows us to teach PAM how to recognize and trust your ATKey.Pro as a valid credential.

Step by Step Installation Process

In the steps below, we will install the necessary libraries, link your biometric profile to your Linux user account, and configure the system to demand a fingerprint tap before granting access. By the end of this tutorial, your Linux machine will be significantly more secure and, surprisingly, much more convenient to use.

Let’s get started by prepping your terminal.

Step 1 - Install libpam-u2f

Check whether libu2f-udev is installed by running 

$ dpkg -s libu2f-udev

  • If is not present install it by using the command

$ sudo apt install libu2f-udev

Once libu2f-dev is installed, get libpam-u2f using

$ sudo apt-get install libpam-u2f

Step 2 - Create a Backup User

Before using the PAM module, you can create a new user in sudo group, with a password and keep it in a secure place as a backup, in case your ATKey is broken or lost.

Check details from this tutorial: How To Create a New Sudo-enabled User on Ubuntu 20.04 [Quickstart]

Step 3 - Register your ATKey to your account through PAM

Now that we have the PAM module installed, and it's time to add your ATKey to your Ubuntu.

Create the configuration folder for the keys storage with the command

$ mkdir ~/.config/Yubico

The PAM module comes with a configuration tool that can be used to create the keys-strings in the configuration for your ATKeys. Simply plugin your ATKey into the USB port and then in a terminal run the following command: 

$ pamu2fcfg > ~/.config/Yubico/u2f_keys

When your ATKey begins flashing, touch the key to confirm the registration.

WARNING: It's highly recommended to add more ATKeys or other back-up security keys to it in case of this ATKey is broken or lost, you should register additional keys with below different use this command: 

$ pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

The inclusion of “>>” will append the new registration, rather than overwrite the previous one.

Step 4 - Use ATKey through PAM 

Now that your ATKey is registered on your machine you can establish rules for when it will be required to use it for user verification. The two most common cases are when the user attempts a sudo command and at login. We will explain how to set your system for both cases.

Associate the PAM module with sudo command

WARNING: Once you modify the /etc/pam.d/sudo file to associate the PAM module with your sudo command, you can only modify this configuration setting again by verifying with your registered ATKeys through PAM. 

Change the PAM config file for sudo:

(The example uses vim editor)

$ sudo vim /etc/pam.d/sudo

Find the line “@include common-auth”, and below add:

auth       required   pam_u2f.so

Save and now your machine will require the user to verify themselves through the ATKey anytime they perform a sudo command.

WARNING: if the ATKey is not inserted into the USB port first, then it will fail after the password is written. If it is inserted, it will start flashing and then you will have about 10 seconds to press your ATKey.

Associate the PAM module for login

Let's now see how to have your system to prompt user verification through your ATKey on login. Like before we will need to modify the PAM config file.

First, we need to open the file:
(The example uses vim editor)

$ sudo vim /etc/pam.d/gdm-password

Find the line “@include common-auth” and below add: 

auth required pam_u2f.so

Save and at your next login the system will require you to verify through your ATKey to access.

WARNING: The ATKey must be inserted before typing the password or the login will fail. Once you typed your password the ATKey LED will flash and you will have 10 seconds to press on the fingerprint scanner to complete the login.

If you have any doubt or issues during the configuration process don’t hesitate to reach out to us.

Davide Demarchi

Davide is an expert B2B Content Marketer. He spent his career creating compelling content for websites, blogs, and social media.

Next

The Future of Trust: Decentralized Digital Identity