Introduction
Today, Fedora offers multiple ways to improve the secure authentication of our user accounts. Of course it has the familiar user name and password to login. It also offers additional authentication options such as biometric, fingerprint, smart card, one-time password, and even challenge-response authentication.
Each authentication method has clear pros and cons. That, in itself, could be a topic for a rather lengthy article. Fedora Magazine has covered a few of these options previously:
One of the most secure methods in modern Fedora releases is offline hardware challenge-response. It’s also one of the easiest to deploy. Here’s how.
Challenge-response authentication
Technically, when you provide a password, you’re responding to a user name challenge. The offline challenge response covered here requires your user name first. Next, Fedora challenges you to provide an encrypted physical hardware token. The token responds to the challenge with another encrypted key it stores via the Pluggable Authentication Modules (PAM) framework. Finally, Fedora prompts you for the password. This prevents someone from just using a found hardware token, or just using a user name and password without the correct encrypted key.
This means that in addition to your user name and password, you must have previously registered one or more encrypted hardware tokens with the OS. And you have to provide that physical hardware token to be able to authenticate with your user name.
Some challenge-response methods, like one time passwords (OTP), take an encrypted code key on the hardware token, and pass that key across the network to a remote authentication server. The server then tells Fedora’s PAM framework if it’s is a valid token for that user name. This is great if the authentication server(s) are on the local network. The downside is if the network connection is down or you’re working remote without a network connection, you can’t use this remote authentication method. You could be locked out of the system until you can connect through the network to the server.
Sometimes a workplace requires use of Yubikey One Time Passwords (OTP) configuration. However, on home or personal systems you may prefer a local challenge-response configuration. Everything is local, and the method requires no remote network calls. The following process works on Fedora 27, 28, and 29.
Preparation
Hardware token keys
First you need a secure hardware token key. Specifically, this process requires a Yubikey 4, Yubikey NEO, or a recently released Yubikey 5 series device which also supports FIDO2. You should purchase two of them to provide a backup in case one becomes lost or damaged. You can use these keys on numerous workstations. The simpler FIDO or FIDO U2F only versions don’t work for this process, but are great for online services that use FIDO.
Backup, backup, and backup
Next, make a backup of all your important data. You may want to test the configuration in a Fedora 27/28/29 cloned VM to make sure you understand the process before setting up your personal workstation.
Updating and installing
Now make sure Fedora is up to date. Then install the required Fedora Yubikey packages via these dnf commands:
$ sudo dnf upgrade $ sudo dnf install ykclient* ykpers* pam_yubico* $ cd
If you’re in a VM environment, such as Virtual Box, make sure the Yubikey device is inserted in a USB port, and enable USB access to the Yubikey in the VM control.
Configuring Yubikey
Verify that your user account has access to the USB Yubikey:
$ ykinfo -v version: 3.5.0
If the YubiKey is not detected, the following error message appears:
Yubikey core error: no yubikey present
Next, initialize each of your new Yubikeys with the following ykpersonalize command. This sets up the Yubikey configuration slot 2 with a Challenge Response using the HMAC-SHA1 algorithm, even with less than 64 characters. If you have already setup your Yubikeys for challenge-response, you don’t need to run ykpersonalize again.
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Some users leave the YubiKey in their workstation while using it, and even use challenge-response for virtual machines. However, for more security you may prefer to manually trigger the Yubikey to respond to challenge.
To add that manual challenge button trigger, add the -ochal-btn-trig flag. This flag causes the Yubikey to flash the yubikey LED on a request. It waits for you to press the button on the hardware key area within 15 seconds to produce the response key.
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
Do this for each of your new hardware keys, only once per key. Once you have programmed your keys, store the Yubikey configuration to ~/.yubico with the following command:
$ ykpamcfg -2 -v debug: util.c:222 (check_firmware_version): YubiKey Firmware version: 4.3.4 Sending 63 bytes HMAC challenge to slot 2 Sending 63 bytes HMAC challenge to slot 2 Stored initial challenge and expected response in '/home/chuckfinley/.yubico/challenge-9992567'.
If you are setting up multiple keys for backup purposes, configure all the keys the same, and store each key’s challenge-response using the ykpamcfg utility. If you run the command ykpersonalize on an existing registered key, you must store the configuration again.
Configuring /etc/pam.d/sudo
Now to verify this configuration worked, in the same terminal window you’ll setup sudo to require the use of the Yubikey challenge-response. Insert the following line into the /etc/pam.d/sudo file:
auth required pam_yubico.so mode=challenge-response
Insert the above auth line into the file above the auth include system-auth line. Then save the file and exit the editor. In a default Fedora 29 setup, /etc/pam.d/sudo should now look like this:
#%PAM-1.0 auth required pam_yubico.so mode=challenge-response auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so session include system-auth
Keep this original terminal window open, and test by opening another new terminal window. In the new terminal window type:
$ sudo echo testing
You should notice the LED blinking on the key. Tap the Yubikey button and you should see a prompt for your sudo password. After you enter your password, you should see “testing” echoed in the terminal screen.
Now test to ensure a correct failure. Start another terminal window and remove the Yubikey from the USB port. Verify that sudo no longer works without the Yubikey with this command:
$ sudo echo testing fail
You should immediately be prompted for the sudo password. Even if you enter the password, it should fail.
Configuring Gnome Desktop Manager
Once your testing is complete, now you can add challenge-response support for the graphical login. Re-insert your Yubikey into the USB port. Next you’ll add the following line to the /etc/pam.d/gdm-password file:
auth required pam_yubico.so mode=challenge-response
Open a terminal window, and issue the following command. You can use another editor if desired:
$ sudo vi /etc/pam.d/gdm-password
You should see the yubikey LED blinking. Press the yubikey button, then enter the password at the prompt.
Modify the /etc/pam.d/gdm-password file to add the new auth line above the existing line auth substack password-auth. The top of the file should now look like this:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_yubico.so mode=challenge-response auth substack password-auth auth optional pam_gnome_keyring.so auth include postlogin account required pam_nologin.so
Save the changes and exit the editor. If you use vi, the key sequence is to hit the Esc key, then type wq! at the prompt to save and exit.
Conclusion
Now log out of GNOME. With the Yubikey inserted into the USB port, click on your user name in the graphical login. The Yubikey LED begins to flash. Touch the button, and you will be prompted for your password.
If you lose the Yubikey, you can still use the secondary backup Yubikey in addition to your set password. You can also add additional Yubikey configurations to your user account.
If someone gains access to your password, they still can’t login without your physical hardware Yubikey. Congratulations! You’ve now dramatically increased the security of your workstation login.
wk
While I appreciate the nuts and bolts of establishing such authentication, it would help me dramatically to grasp the details if there were a higher level description of what is going on.
AquaL1te
When you do this I assume you also have to lock down the TTY’s, otherwise you can still circumvent the 2FA if you have obtained a user’s password.
nabooengineer
If you wish to add the challenge-response to the virtual console logins, add the following line to /etc/pam.d/login immediately after #%PAM-1.0 :
auth required pam_yubico.so mode=challenge-response
The top of the /etc/pam.d/login file should now look like:
#%PAM-1.0
auth required pam_yubico.so mode=challenge-response
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
…
AquaL1te
I prefer to use U2F for this, then you don’t have to spend one of your 2 slots for this. I disabled the TTY’s as a whole.
Blake
Hey,
Great write up! I think you may have meant FIDO2 in reference to the Yubikey 5 in the hardware token keys paragraph.
Thanks again for the article ????
nabooengineer
Good catch Blake! You are correct that should read FIDO2.
Edgar Hoch
“If someone gains access to your password, they still can’t login without your physical hardware Yubikey. Congratulations! You’ve now dramatically increased the security of your workstation login.”
I think this is not true. There are still other access options that are not protected by Yubikey. ssh, text console for example.
nabooengineer
Hi Edgar, you are correct. I should have explained that additional items can be further secured or even disabled; like the virtual consoles and ssh. If readers are interested, I can discuss with the editors and pitch a part 2 of the article.
Stuart D Gathman
My favorite “hardware device” is a sheet of paper with one time passwords as a second factor. Is there a Fedora how to on setting that up? … both printing the sheet and configuring pam to consult the list and check them off when used.
cmurf
Or even Grid Multifactor, and then in effect it’s an unlimited list.
Vlad Klevtsov
In the Updating and installing section:
$ sudo dnf upgrade
$ sudo dnf install ykclient* ykpers* pam_yubico*
$ cd
What is with the last “cd” command? Where was it supposed to change directory, or it was unnecessary?
Michael
without a parameter set your current working directory to
Bruno Vernay
It would be kool to support the OpenSource Solo Key too https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb
james miller
The opensource solo key was funded to the tune of $123 thousand in 20 minutes… I suspect we will see it soon… lol.
However, one still has to purchase a key. I have been thinking about writing a python program to interact with dbus to run when a usb key is plugged in that retrieves and displays your generated password when plugged in, which you can then type directly or copy and paste (if secure). That would allow any usb key to be used, although not quite as securely. The app could then generate and store passwords that are complex hex or hash type keys that are more secure than standard passwords and that can be renewed automatically at time intervals if necessary. This way the user wouldn’t have to rely on memory.
It might require that the user plugin their key each time, and there would have to be a udev rule installed on the computer, or however windows manages things (a batch file?), but it might complement a two factor authentication process that uses solo or yubikey.
eddycaban3
Great to see that the project is still active!