Skip to content

common: Add pam-u2f authentification method #89

New issue
New issue
Open
Open
common: Add pam-u2f authentification method#89
Assignees
JGoutin
Labels
enhancementNew feature or requestfeatureNew featuresecurityRelated to security hardening
@JGoutin

Description

@JGoutin
JGoutin
opened on May 9, 2024

Local authentication

sudo dnf install -y pamu2fcfg pam-u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
sudo authselect enable-feature with-pam-u2f

pamu2fcfg package is required only for configuration.

To use the YubiKey as MFA instead of passwordless auth: use with-pam-u2f-2fa instead of with-pam-u2f with authselect.

SSH authentication

Client side

Generate and enroll key in Yubikey:

ssh-keygen -t ed25519-sk

Server side:

Edit /etc/ssh/sshd_config and restart sshd service:

PubkeyAcceptedKeyTypes [email protected],[email protected]

(Check if [email protected] required with ed25519-sk key ?)

Add the public key generated by ssh-keygen to SSH authorized_key as normal.

Login

Load the key in the SSH agent before login (Will ask to tap the Yubikey):

ssh-add id_ed25519_sk
ssh user@ip

Role changes

Local authentication:

  • Install pam-u2f
  • Configure ~/.config/Yubico/u2f_keys with content passed by argument (Or generated in role ?)
  • configure authselect

SSH authentication:

  • configure sshd_config accepted key types? Maybe already OK.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestfeatureNew featuresecurityRelated to security hardening

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions