Secure your Ubuntu Linux login using ATKeys

Here’s the simple guide to logging in to your personal Linux computer. Commands are mostly compatible with Ubuntu 20.04 LTS, but they should be also workable with some small modifications for other Linux distributions. Let’s see how to secure local Linux logins using the U2F feature on your ATKeys. Please see the video tutorial, you can set up your key with the steps in the video : )

 

 

 

1. Install libpam-u2f

   • Check whether libu2f-udev is installed by running dpkg -s libu2f-udev.If not, please install it by using  sudo apt install libu2f-udev .
   • Install libpam-u2f by using sudo apt-get install libpam-u2f.

2. Create a Backup User

   • Before using the PAM module, you can create a new user in sudo group, with a password and keep it in a secure place as a backup, in case your ATKey is broken or lost.
   • Check details from this tutorial: How To Create a New Sudo-enabled User on Ubuntu 20.04 [Quickstart]

3. Register your ATKey to your account through PAM

   Now that we have the PAM module installed, and it’s time to add your ATKey to your Ubuntu.

   • Create the configuration folder for the keys storage: mkdir ~/.config/Yubico
   • The PAM module comes with a configuration tool that can be used to create the keys-strings in the configuration for your ATKeys. Simply plugin your ATKey into the USB port and then in a terminal run the following command: pamu2fcfg > ~/.config/Yubico/u2f_keys
   • When your ATKey begins flashing, touch your key to confirm the registration.
   • Warning: It’s highly recommended to add more ATKeys or other back-up security keys to it in case of this ATKey is broken or lost, you should register additional keys with below different use this command: pamu2fcfg -n >> ~/.config/Yubico/u2f_keys ( >> means it will append, rather than overwrite to your previous registration.)

    

4. Modify system’s configurations: Use ATKey through PAM 

   1. 1. 1. Associate the PAM module to sudo command

            • Warning: Once you modify this /etc/pam.d/sudo file to associate PAM module with your sudo command, you can only modify this configuration setting again to remove it by verifying with your registered ATKeys through PAM. 
            • Change the PAM config file for sudo (The example uses vim editor):
              sudo vim /etc/pam.d/sudo
            • Find this line:

              @include common-auth

              and add the following line right below it then save the file:

              auth       required   pam_u2f.so

              After above steps, you have associated your sudo command with ATKey. Let’s have some test with: 

              sudo apt-get update

            •  Please note that if the ATKey is not inserted into the USB port first, then it will fail after the password is written. If it is inserted, it will start flashing and then you will have about 10 seconds to press your ATKey.

         2. Associate the PAM module for login

            • Let’s do the same association for desktop login, change PAM config file for this (The example uses vim editor)
              sudo vim /etc/pam.d/gdm-password

• • • • • Find this line:

          @include common-auth

          and add the following line right below it then save the file:

          auth       required   pam_u2f.so

        • After these steps, you can log out of the desktop and then try to log in again. As mentioned, if you do not have the ATKey inserted in the USB port, your login will fail. After you insert your password, the ATKey will flash and then you will need to press the key to log in to your desktop fully.

 

 

Hope you enjoy your ATKeys and feel free to reach us if you have any questions. We will introduce how to use and set up SSH in the next article, please stay tuned!

If you are interested in any of our ATKeys’ technical details, please feel free to contact us.