As a follow up article on the YubiKey one I propose an article on general u2f based smartcards. I've already included this topic slightly in an update to the Fedora Quick-Docs and I'll also propose a distinct Quick-Docs page for this topic all together.
The neat thing about the pam_u2f approach is that it works with all FIDO2 keys such as YubiKey 5+, NitroKey 2/3 and SoloKey v2. It is also much more straight forward to setup than the special Yubikey pam module (which however supports some older YubiKeys that the u2f module does not).
This will also make use of authselect in a basic way as with authselect pam configuration is very easy.
If this will be using authselect should it be scheduled after #176 and should #176 be part of the series including this article and #128 ?
Metadata Update from @rlengland: - Issue assigned to w4tsn - Issue tagged with: article, needs-image, needs-series
authselect is certainly a dependency and hence related with this topic but it is not solely something interesting for u2f. Also the use of authselect for this use case is basically a one-liner and uses the default packaged configuration. I don't think an in-depth knowledge of authselect is necessary to understand how to use it for this use-case.
I think this one, #128 and the fido2/u2f part of #178 would all fit into a security key series with room for more :)
@w4tsn Have you had an opportunity to work on this article? Good follow-on to the one on Yubikey.
I already have a pretty alpha draft on my blog git, but I was quite occupied the last couple of weeks. (https://git.221b.uk/w4tsn/blog/-/blob/main/_drafts/en/u2f-security-tokens-as-factor-in-linux-authentication.md)
I secured myself a couple long weekends in the coming months so I'm sure I'll get something together soonish :)
Metadata Update from @w4tsn: - Custom field preview-link adjusted to https://fedoramagazine.org/?p=38200&preview=1&_ppp=7df9da50ea
FYI, someone just reported hitting a problem with pam_u2f when they upgraded their system from Fedora Linux 37 to 38.
https://discussion.fedoraproject.org/t/login-with-u2f-yubikey-not-working-for-login-on-fedora-38/81676
They might have found a "gotcha" that would be worth mentioning in your article. 🙂
Thanks for mentioning!
This does not happen when using authselect's sssd profile to configure pam-u2f btw.
My guess is that something was changed in the pam login flow for gdm, which now is loading the password module before reaching /etc/pam.d/login. But I'd have to take a closer look at the chain in F38 to be sure.
I started working on this and the current draft with the major contents is already on wordpress. I still want to integrate some requested content from ppl on mastodon and a theory section about fido2 / u2f
BTW, I just noticed something that might be a small problem in your previous YubiKey article. In the "For YubiKey as alternative / sufficient factor" section, you show adding "auth include yubikey-sufficient" to the services before the call "auth include system-auth". But since yubikey-sufficient will stop further processing of the auth stack on success, the "auth required pam_env.so" line in system-auth will not be executed. I think this may prevent /etc/environment from being processed. Most people probably don't put anything in /etc/environment anyway. But those who do might be left wondering why their environment variables are not being set.
The article is ready for review: https://fedoramagazine.org/?p=38200&preview=1&_ppp=b6e74de566
Currently the article is solely about PAM (console and GDM login, sudo). U2F does also work for OpenSSH and LUKS (which I already implemented and wrote about), but I'm thinking of featuring this in upcoming articles instead of cramping that into this one. From what I hear on Mastodon the interest in those topics is high though
BTW, I just noticed something that might be a small problem in your previous YubiKey article. In the "For YubiKey as alternative / sufficient factor" section, you show adding "auth include yubikey-sufficient" to the services before the call "auth include system-auth". But since yubikey-sufficient will stop further processing of the auth stack on success, the "auth required pam_env.so" line in system-auth will not be executed.
Thanks for pointing that out! I'd have to review the whole PAM stack to find a better location for this include.
I think most people should use the pam_u2f and authselect method from this article, except for when your key (e.g. older yubikeys) does not support U2F. This method does not have this problem as it uses the neatly engineered and streamlined sssd profile.
For all users using the YubiKey pam_yubico approach we should probably revise that in the existing article though.
... I'd have to review the whole PAM stack to find a better location for this include. ...
Yeah. Unfortunately, I don't see an "easy" fix for it.
FWIW, I think you'd have to alter password-auth and system-auth so that they start with something similar to the following (substituting login with whatever service name is wanted).
password-auth
system-auth
login
auth required pam_env.so auth [success=ignore default=1] pam_succeed_if.so service in login quiet auth sufficient pam_yubico.so mode=challenge-response ...
But then, you wouldn't want to alter those files directly because the next use of authselect would overwrite them. I guess you'd have to provide a custom authselect profile.
This shouldn't be much of a problem after I worked on #176 :)
Oh. I hadn't noticed that one. That might make a convenient way to "fix" your existing YubiKey article. Once you have #176 done, we could just add a footnote to the current YubiKey article saying something like "For a better way to do this, see the article on how to create a custom authselect profile". You could then detail this exact problem and solution in your authselect article.
Metadata Update from @glb: - Custom field editor adjusted to glb - Custom field publish adjusted to 2023-05-05
Metadata Update from @glb: - Custom field publish adjusted to 2023-05-08 (was: 2023-05-05)
Metadata Update from @glb: - Custom field publish adjusted to 2023-05-10 (was: 2023-05-08)
Metadata Update from @rlengland: - Custom field preview-link adjusted to https://fedoramagazine.org/?p=38200&preview=true&preview_id=38200 (was: https://fedoramagazine.org/?p=38200&preview=1&_ppp=7df9da50ea)
@glb Suggestion: use the background from 3 March for this article and change the text? yubikey.svg in the repo
Suggestion: use the background from 3 March for this article and change the text? yubikey.svg in the repo
+1
Metadata Update from @glb: - Custom field image-editor adjusted to rlengland
Metadata Update from @rlengland: - Issue untagged with: needs-image
Hey @w4tsn : I found the following statement a little vague. Can you state more clearly whether U2F can be used as a lone authentication factor?
It might confuse that in this case U2F can be used as a sole authentication factor.
Made some minor "last-minute" adjustments :)
The biggest change is the addition of a case study and research paper by Google, in the "Security implications" section, showing the benefits of using security keys.
Just saw your comment. I'll fix that real quick
I changed the sentence to "While FIDO U2F is not strictly designed for password-less authentication, PAM itself supports this without the need for the full FIDO2 standard."
Thanks. I'll make an editing pass shortly. I'll leave a note here when I'm done and then you can make any final adjustments you like before it is published on Wednesday.
@w4tsn : I have done the editing pass on this article. You can now make any final changes you want and then I will schedule this to go out on the 10th.
Thanks!
Metadata Update from @glb: - Custom field preview-link adjusted to https://fedoramagazine.org/use-fido-u2f-security-keys-with-fedora-linux/ (was: https://fedoramagazine.org/?p=38200&preview=true&preview_id=38200)
Metadata Update from @glb: - Issue untagged with: needs-series
Issue status updated to: Closed (was: Open) Issue close_status updated to: published
Log in to comment on this ticket.