U2F and KDE/SDDM on Funtoo

U2F keys, such as the yubico YubiKey are relatively easy and inexpensive way to add two factor authentication to one’s workstation. Adding U2F authentication to local accounts on a linux machine is quite easy. In Gentoo/Funtoo, the pam_u2f ebuild will provide everything you need to get started.

Install pam_u2f

emerge -av pam_u2f

Once installed, the pamu2fcfg utility is used to register U2F keys for a user. By default, u2f key associations are going to be stored under ~/.config/Yubico for each user (including root). One can also store them in /etc/u2f_mappings (see Yubico’s pam-u2f documentation for more information). Make sure ~/.config/Yubico exists:

mkdir ~/.config/Yubico

Then, plug in your U2F key, and run the following:

pamu2fcfg -u USERNAME > ~/.config/Yubico/u2f_keys

To add a second key, note that the format for u2f_keys is the following:

USERNAME:KeyHandle1,UserKey1:KeyHandle2,UserKey2:…

The output format of pamu2fcfg is:

USERNAME:KeyHandle,UserKey

So, just appending to the file will not work, the last key to be entered will be the only one PAM accepts. You need to remove the USERNAME portion and move everything to one line. Not that this is a difficult task, it is just annoying.

Setup eudev Rules (yubikey)

For U2F to work on your yubikey, you may need to grab the grab some udev rules. If you are using eudev, the default on Gentoo and Funtoo, then run the following:

cd /etc/udev/rules.d/
wget https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-old-u2f.rules

Configuring PAM

Edit /etc/pam.d/system-local-login, adding the following:

auth required pam_u2f.so

Now, test that your account and key are working, switch to a new virtual terminal (Shift + F4 should work). Plug in your U2F key, and login (username and password). After entering your password, the light on your U2F key should start blinking, press the button. You should now be logged in.

Dealing with SDDM

SDDM (the login manager KDE uses), by default looks at system-login rather than system-local-login. Edit /etc/pam.d/sddm, changing auth include system-login to auth include system-local-login. Failing to do this will result in the KDE lock screen, and terminal access requiring U2F, but the initial login via SDDM bypassing U2F, which defeats the purpose of having two factor authentication.

Dealing with su

Like with SDDM, su by default has its own pam.d config file. This has its own set of rules, and does not automatically use U2F. Adding the following to /etc/pam.d/su will enable U2F checking in su:

auth required pam_u2f.so

Some Thoughts

While, strictly speaking, U2F does work with PAM, it is a little rough around the edges in some cases. The U2F keypress should be requested after the user enters the normal credentials (username and password). However, for su, the U2F keypress is requested before entering the password. Everything else seems to follow the standard flow of entering the username and password, then request the U2F keypress.

Also of note, the user experience isn’t the most polished yet for U2F in SDDM and the KDE lock screen. In both cases, there isn’t a prompt to enter the U2F key and press the key’s button. If the key is inserted the button will blink. Otherwise, it will just fail after a timeout period.

Lastly, leaving in the U2F key for an extended period of time may make the KDE lock screen become unresponsive. Attempting to type in a password will result in nothing showing up in the password field, yet the mouse still works. This unresponsiveness makes accidentally long-pressing the U2F key’s button easy. The solution appears to be only plug in the U2F key when needed. One trick to keep in mind is even when the lock screen seems locked up, removing the U2F key usually resolves the issue with a few seconds. As of late, this issue has not been occurring, leading one to believe it may have been fixed in a software update (have not looked into which package was actually causing it).

-John Havlik

[end of transmission, stay tuned]

Leave a Reply

Your email address will not be published. Required fields are marked *