Skip to content

Instantly share code, notes, and snippets.

@wyhasany

wyhasany/README.MD

Last active November 23, 2022 18:27
Show Gist options
  • Save wyhasany/fed25518f44e18f36d0a0498a518c6f7 to your computer and use it in GitHub Desktop.
Save wyhasany/fed25518f44e18f36d0a0498a518c6f7 to your computer and use it in GitHub Desktop.
Download ZIP
Yubikey/Yubicom/Yubico login/lock/unlock screensaver, greeter, pantheon-greeter Elementary OS
Raw
README.MD

Summary:

Requirements:

OS: Elementary OS 0.4.1 Loki | Should work properly on other Debian based distro's, remember to change your screensaver command this might be different depending on the distro Yubikey: Yubikey II

Description:

This is a Short guide on how to get your Yubikey to work on Linux (Debian based) with the option to lock/unlock your screen using your Yubikey.

Features:

  • Login with Yubikey + password required
  • Screen unlocking by just inserting your Yubikey (only works after already beeing logged into the system)
  • Single Udev rule to fire up a single script
  • No screen flickering when using sudo commands, it will check if the key is physically removed rather then a challenge-response trigger.
  • Using your Yubikey serial, this prevents others users to unlock the system with their Yubikey.

Pre requirements

First we have to configure token for chalenge response, for this purpose install package

sudo apt-get install yubikey-personalization-gui

Then make following steps from Ubico forum

Tutorial:

Install the following packages:

sudo apt-get install libpam-yubico
sudo apt-get install yubikey-personalization

Execute the following command for the users you want to be able to login (Using the Yubikey + password combination):

mkdir ~/.yubico
ykpamcfg -2 -v

This should create a file in ~/.yubico/challenge-XXXXXX

Make sure you also do this for your root user!

sudo ykpamcfg -2 -v

DOUBLE CHECK THIS!

Edit your pam.d auth file: Backup your current common-auth file:

sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BAK
sudo vi /etc/pam.d/common-auth (Note might be different when using another distro!)

My common-auth file:

# Use this to use both your password + Yubikey. You can comment this line if you want to JUST use your Yubikey (NOT RECCOMENDED)
auth required pam_unix.so nullok_secure try_first_pass

# The line below is required to be able to use your Yubikey
auth   [success=1 new_authtok_reqd=ok default=die ignore=ignore]   pam_yubico.so mode=challenge-response 

# Default rules
auth   requisite         pam_deny.so
auth   required         pam_permit.so
auth   optional         pam_ecryptfs.so unwrap
auth   optional         pam_cap.so

IMPORTANT:

Check if your Yubikey is working open a new Terminal shell:

sudo su -

Try executing this with and without the Yubikey, when the Yubikey is removed you should NOT be able to login! Only continue if this works. if it doesn't work double check your common-auth file before continueing.

Yubikey screen lock/unlock:

Create a udev rule to run a script if the Yubikey is inserted, changed or removed:

Get your Yubikey serial (To prevent other users for unlocking your screen):

udevadm monitor --environment --udev

now insert or remove your Yubikey!

look for a line like this:

ID_SERIAL_SHORT=0001711399

Copy or write your serial down! (Double check your ID_MODEL_ID with the above step, this should be 0010 if your using the same model as me)

sudo vi /etc/udev/rules.d/85-yubikey.rules (Double check 85 is the correct rule number for your distro)

insert the following:

# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted, removed or triggered by challenge-response
ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"

Change the following: ENV{ID_SERIAL_SHORT}=="0001711399" with your own serial number found in the step above ENV{ID_MODEL_ID}=="0010" with yout model id

now create the actual bash script:

sudo vi /usr/local/bin/yubikey

Insert the followig code:

#!/bin/bash
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.
touch /tmp/test
USERNAME="wyhasany"
SESSION="$(loginctl list-sessions | grep ${USERNAME} | grep c | awk '{ print $1 }')"
result=$(lsusb | grep -e "Yubikey")

if [ $? -ne 0 ]; then
        logger "YubiKey Removed or Changed"
        # Running the Pantheon screensaver lock command
        loginctl lock-session ${SESSION}
else
        # Running the Pantheon screensaver unlock command
        logger "YubiKey Found, Unlocking screensaver if found"
        loginctl activate ${SESSION}
        loginctl unlock-session ${SESSION}
fi

Make sure you change your user name (mine is joost): USERNAME="YOURUSERNAME"

IMPORTANT: If you're using another distro or graphical Linux shell change the screensaver commands: "loginctl..."

Reload your Udev rules:

sudo udevadm control --reload-rules
sudo service udev reload

Now check if its working (Should if followed correctly!)

Based on Yubico forum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment