Using Yubikey U2F on Debian 9 for authentication

45-yubikey.rules

ACTION=="remove", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", RUN+="/usr/local/bin/gnome-lock"

gnome-lock

#!/bin/sh

for file in /tmp/.X11-unix/*
do
	display=${file##*X}
	user=$(/bin/ls -l --directory ${file} | cut -d " " -f 3)
	uid=$(/usr/bin/id --user ${user})

	if test -f /run/user/${uid}/gdm/Xauthority
	then
		DISPLAY=:${display} su ${user} -c "/usr/bin/dbus-send \
			--type=method_call \
			--dest=org.gnome.ScreenSaver \
			/org/gnome/ScreenSaver \
			org.gnome.ScreenSaver.Lock"
	fi
done

Using Yubikey U2F on Debian 9 for authentication

Prerequisites

• Tested on Debian 9
• Tested with a yubikey 4

Installation

U2F authentication

# Install the needed package.
sudo apt install libpam-u2f pamu2fcfg

# Configure U2F for the current user.
mkdir -p ${HOME}/.config/Yubico
# Your Yubikey must be inserted before to run pamu2fcfg.
pamu2fcfg -u ${USER} > ${HOME}/.config/Yubico/u2f_keys # Then press the Yubikey button to continue.

# Configure PAM
echo "auth required pam_u2f.so" | sudo tee -a /etc/pam.d/common-auth

Reboot or logout to finish the setup.

Now, for every local authentication (console login, GUI login, sudo, desktop screen lock) you will need to used your Yubikey. Note that remote authentication (SSH logins) will not be impacted.

Lock screen when the Yubikey is unplugged

# Install the provided files
wget -qO- https://gist.github.com/jmlemetayer/20e936a2ef4c7e10804a69fdacab9ca4/raw/45-yubikey.rules | sudo tee /etc/udev/rules.d/45-yubikey.rules
wget -qO- https://gist.github.com/jmlemetayer/20e936a2ef4c7e10804a69fdacab9ca4/raw/gnome-lock | sudo tee /usr/local/bin/gnome-lock
sudo chmod +x /usr/local/bin/gnome-lock

# Reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger

When logged in, just unplug your Yubikey to lock your screen.

Resources

• Two-factor auth for local logins in Debian using U2F keys
• Lock \ Unlock system with Yubikey removal \ insertion
• Lock screen from command line or bash script