Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

common: Add pam-u2f authentification method #89

Open
JGoutin opened this issue May 9, 2024 · 0 comments
Open

common: Add pam-u2f authentification method #89

JGoutin opened this issue May 9, 2024 · 0 comments
Assignees
@JGoutin
Labels
enhancement New feature or request feature New feature security Related to security hardening

Comments

@JGoutin
Copy link
Owner

JGoutin commented May 9, 2024
edited
Loading

Local authentication

sudo dnf install -y pamu2fcfg pam-u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
sudo authselect enable-feature with-pam-u2f

pamu2fcfg package is required only for configuration.

To use the YubiKey as MFA instead of passwordless auth: use with-pam-u2f-2fa instead of with-pam-u2f with authselect.

SSH authentication

Client side

Generate and enroll key in Yubikey:

ssh-keygen -t ed25519-sk

Server side:

Edit /etc/ssh/sshd_config and restart sshd service:

PubkeyAcceptedKeyTypes [email protected],[email protected]

(Check if [email protected] required with ed25519-sk key ?)

Add the public key generated by ssh-keygen to SSH authorized_key as normal.

Login

Load the key in the SSH agent before login (Will ask to tap the Yubikey):

ssh-add id_ed25519_sk
ssh user@ip

Role changes

Local authentication:

  • Install pam-u2f
  • Configure ~/.config/Yubico/u2f_keys with content passed by argument (Or generated in role ?)
  • configure authselect

SSH authentication:

  • configure sshd_config accepted key types? Maybe already OK.
@JGoutin JGoutin added enhancement New feature or request security Related to security hardening feature New feature labels May 9, 2024
@JGoutin JGoutin self-assigned this May 9, 2024
@JGoutin JGoutin changed the title common: Add pam-u2f common: Add pam-u2f auth method May 9, 2024
@JGoutin JGoutin changed the title common: Add pam-u2f auth method common: Add pam-u2f authentification method May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JGoutin JGoutin

Labels
enhancement New feature or request feature New feature security Related to security hardening
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JGoutin