-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathconfigureFIDO2Authentication
More file actions
executable file
·104 lines (100 loc) · 4.32 KB
/
Copy pathconfigureFIDO2Authentication
File metadata and controls
executable file
·104 lines (100 loc) · 4.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/env bash
# NOTE: This will not unlock your Gnome Keyring / KDE Wallet after login.
# See:
# https://unix.stackexchange.com/questions/551021/how-to-unlock-gnome-keyring-after-passwordless-login-with-solokey-yubiko
# https://github.com/recolic/gnome-keyring-yubikey-unlock
#
# NOTE: For 1Password one still needs this (the system authentication),
# and only if the main password has been provided after each reboot or cache timeout.
# https://support.1password.com/system-authentication-linux/
# Or Fido2 can be used as a 2nd factor
# https://www.token2.com/site/page/securing-1password-account-with-token2-fido-security-keys
while fido2-token -L | grep product; do
echo "No authenticator device found. Make sure you connect it first!"
sleep 5
done
# NOTE: In some tutorials the pam_u2f is explicitly configured with `authfile=/etc/u2f_mappings`
# here we are going with the second default see [man 8 pam_u2f](
# https://manpages.ubuntu.com/manpages/resolute/man8/pam_u2f.8.html)
# ```
# defaults to $XDG_CONFIG_HOME/Yubico/u2f_keys. If $XDG_CONFIG_HOME is not set,
# $HOME/.config/Yubico/u2f_keys is used
# ````
#
mkdir -p ~/.config/Yubico
chmod 700 ~/.config/Yubico
pamu2fcfg --pin-verification --username="${USER}" >~/.config/Yubico/u2f_keys
chmod 600 ~/.config/Yubico/u2f_keys
# NOTE: The format is incompletely documented in most howtos and even in the manapage
# https://manpages.ubuntu.com/manpages/resolute/man8/pam_u2f.8.html
# `authfile=file` section
# 1. You can only use the same `username` once per file!
# 2. The suffix `,es256,+presence+pin` comes after each key!
# `username:keyHandle1,public_key1,es256,+presence+pin:keyHandle2,public_key2,es256,+presence+pin`
# So if you add more keys, then you have to manually edit `~/.config/Yubico/u2f_keys`
#
# Authselect
# As of Fedora 40+ `local` should be the new default profile
# based on the former `minimal` replacing `sssd`.
# https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/
#
# [Authselect](https://github.com/authselect/authselect)
# will manage the `/etc/pam.d/system-auth` symlink to ,
# and as long as /etc/pam.d/{login,sudo,gdm-password} unmanaged files
# have the `auth include system-auth` as the first line,
# the managed configuration will have the highest precedence.
#
# Keep in mind that authselect has some current open-issue limitations,
# which require manual workarounds
# for example fingerprint might have higher priority than FIDO:
# https://github.com/authselect/authselect/issues/335
# ending up also requiring the fingerprint despite FIDO being plugged in.
#
# For debugging you can also manually edit the `/etc/authselect/system-auth`
# look for the line
# `auth sufficient pam_u2f.so cue`
# and change it to:
# `auth sufficient pam_u2f.so debug cue`
#
# Check if we have the needed features in the `local` profile
authselect list-features local | grep with-pam-u2f
authselect current
sudo authselect select local with-pam-u2f
# Alternative (avoid if you can) disable authselect and edit pam config files manually
#
#sudo touch /etc/u2f_mappings
#sudo chmod 600 /etc/u2f_mappings
#
#for i in /etc/pam.d/login /etc/pam.d/sudo; do
#echo '
##%PAM-1.0 [0/165]
#auth sufficient pam_u2f.so cue pinverification=always
#auth required pam_unix.so
#account include system-auth
#password include system-auth
#session optional pam_keyinit.so revoke
#session required pam_limits.so
#session include system-auth
#' | sudo tee "${i}"
#done
#
#
#echo '
#auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always
#auth include postlogin
#
#account required pam_nologin.so
#account include password-auth
#
#password substack password-auth
#-password optional pam_gnome_keyring.so use_authtok
#
#session required pam_selinux.so close
#session required pam_loginuid.so
#session required pam_selinux.so open
#session optional pam_keyinit.so force revoke
#session required pam_namespace.so
#session include password-auth
#session optional pam_gnome_keyring.so auto_start
#session include postlogin
#' | sudo tee /etc/pam.d/gdm-password