Enable 2-Factor Authentication (2FA) or Passwordless on Kali Linux with the Yubikey

Author:

In this post, I will show you how to enable 2FA or passwordless on Debian Linux with the Yubikey

➡️ If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or by using the Amazon/eBay/ClouDNS Affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:

🚀 Things I used for my server: https://amzn.to/3hudohP

🚀 Tools I used: https://amzn.to/3uXaSUr

🚀 Devices I used: https://amzn.to/3FYlfxk

🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0

🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

🧧 PayPal Donation: https://www.paypal.com/paypalme/sysadmin102

If you don’t like reading posts like I do, you can follow along on my YouTube Channel. Below is the video:

 ➡️ Step 1: Install the required software

Open Terminal and run the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo apt update && sudo apt upgrade -y

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo apt install libpam-u2f -y

 ➡️ Step 2: Associating the YubiKey(s) With Your Account

2.1. Your Terminal should be opened, if not open your Terminal.

2.2. Insert your YubiKey and run the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ mkdir -p ~/.config/Yubico

2.3. Associating YubiKey U2F by running the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ pamu2fcfg > ~/.config/Yubico/u2f_keys

When your YubiKey begins flashing, tap the key to confirm the association.

2.4. Associating additional YubiKey U2F by running the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

When your YubiKey begins flashing, tap the key to confirm the association.

⚠️ Warning: Having a backup YubiKey is strongly recommended so that if your device is lost or broken, you will not be locked out of your computer.

➡️ Step 3: Enable sudo 2FA or passwordless login

⚠️ This step will show you how to enable sudo 2FA or passwordless login with YubiKey before you are enabling for system authentication. So that you do not lock yourself out of your computer.

3.1. Your Terminal should be opened, if not open your Terminal.

3.2. Edit /pam.d/sudo using nano text editor:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo nano /etc/pam.d/sudo

Choose only step 3.2.a or 3.2.b, but not both.

3.2.a. 2FA authentication (⚠️ required both Password + YubiKey)

Add the line below the “@include common-auth” line.

auth	required   pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

@include common-auth
auth    required   pam_u2f.so cue [cue_prompt="Tap the YubiKey to authentica>
@include common-account
@include common-session-noninteractive



^G Help        ^O Write Out   ^W Where Is    ^K Cut         ^T Execute
^X Exit        ^R Read File   ^\ Replace     ^U Paste       ^J Justify

Press Ctrl+X and then Enter to save the file.

3.2.b. Passwordless login (only required YubiKey)

Add the line before the “@include common-auth” line.

auth	sufficient	pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

auth    sufficient      pam_u2f.so cue [cue_prompt="Tap the YubiKey to authe>
@include common-auth
@include common-account
@include common-session-noninteractive



^G Help        ^O Write Out   ^W Where Is    ^K Cut         ^T Execute
^X Exit        ^R Read File   ^\ Replace     ^U Paste       ^J Justify

Press Ctrl+X and then Enter to save the file. You can login with Password even if the YubiKey is not inserted.

➡️ Step 4: Test sudo login 2FA with YubiKey ⚠️

4.1. Remove the YubiKey

4.2. Open a new Terminal

Run the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo echo test

Even with the correct password, the authentication should fail as the YubiKey is not plugged in. If the authentication succeeds without the YubiKey, that indicates the Yubico PAM module was not installed or there is a typo in the changes you made to /etc/pam.d/sudo.

Insert your YubiKey and repeat step 4.2

If the password was accepted and you were prompted to tap on the YubiKey this time you have configured the YubiKey and system correctly and can continue on to the next section for requiring the YubiKey to login. 

To disable sudo login with Yubikey, undo step 3.2.a or 3.2.b

⚠️ DO NOT CONTINUE TO STEP 5 IF YOU DIDN’T RUN THE 2FA TEST!!!

➡️ Step 5: Enable system login 2FA or Passwordless with YubiKey

5.1. Open Terminal

5.2. Edit PAM module by running the below command:

┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo nano /etc/pam.d/lightdm

5.2.a. 2FA authentication (required both Password + YubiKey)

Add the line below the “@include common-auth” line.

auth	required   pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
GNU nano 7.2                   /etc/pam.d/lightdm                             
#%PAM-1.0

# Block login if they are globally disabled
auth      requisite pam_nologin.so

# Load environment from /etc/environment and ~/.pam_environment
session      required pam_env.so readenv=1
session      required pam_env.so readenv=1 envfile=/etc/default/locale

@include common-auth
auth    required      pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenti>

-auth  optional pam_gnome_keyring.so

@include common-account

# SELinux needs to be the first session rule. This ensures that any

^G Help      ^O Write Out ^W Where Is  ^K Cut       ^T Execute   ^C Location
^X Exit      ^R Read File ^\ Replace   ^U Paste     ^J Justify   ^/ Go To Line

Press Ctrl+X and then Enter to save the file. You can’t login with Password if the YubiKey is not inserted.

5.2.b. Passwordless login (only required YubiKey)

Add the line below the “@include common-auth” line.

auth	sufficient	pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
  GNU nano 7.2                   /etc/pam.d/lightdm                             
#%PAM-1.0

# Block login if they are globally disabled
auth      requisite pam_nologin.so

# Load environment from /etc/environment and ~/.pam_environment
session      required pam_env.so readenv=1
session      required pam_env.so readenv=1 envfile=/etc/default/locale

auth    sufficient      pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenti>
@include common-auth

-auth  optional pam_gnome_keyring.so

@include common-account

# SELinux needs to be the first session rule. This ensures that any

^G Help      ^O Write Out ^W Where Is  ^K Cut       ^T Execute   ^C Location
^X Exit      ^R Read File ^\ Replace   ^U Paste     ^J Justify   ^/ Go To Line

Press Ctrl+X and then Enter to save the file. You can login with Password even if the YubiKey is not inserted.

➡️ If you think this tutorial is helpful, please subscribe to my YouTube channel for more tutorials: https://www.youtube.com/@sysadmin102

Categories: Debian Linux, Kali linux
Tags: , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »