In this step-by-step guide, you will learn how to configure two-factor authentication (2FA) or password-less authentication on a Debian Linux system using a Yubikey. We will walk you through the steps to set up and install the required components, configure the Yubikey, and enable 2FA or password-less authentication for your user account. By the end of this tutorial, you will have a secure and convenient authentication mechanism for your Debian Linux system.
If you prefer watching videos over reading posts, you can follow me on my YouTube channel. Here’s the link to the video:
➡️ Step 1: Install the required software
Open Terminal and run the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo apt update && sudo apt upgrade -y
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo apt install libpam-u2f -y
➡️ Step 2: Associating the YubiKey(s) With Your Account
2.1. Your Terminal should be opened, if not open your Terminal.
2.2. Insert your YubiKey and run the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ mkdir -p ~/.config/Yubico
2.3. Associating YubiKey U2F by running the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ pamu2fcfg > ~/.config/Yubico/u2f_keys
When your YubiKey begins flashing, tap the key to confirm the association.
2.4. Associating additional YubiKey U2F by running the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
When your YubiKey begins flashing, tap the key to confirm the association.
⚠️ Warning: Having a backup YubiKey is strongly recommended so that if your device is lost or broken, you will not be locked out of your computer.
➡️ Step 3: Enable sudo 2FA or passwordless login
⚠️ This step will show you how to enable sudo 2FA or passwordless login with YubiKey before you are enabling for system authentication. So that you do not lock yourself out of your computer.
3.1. Your Terminal should be opened, if not open your Terminal.
3.2. Edit /pam.d/sudo using nano text editor:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo nano /etc/pam.d/sudo
Choose only step 3.2.a or 3.2.b, but not both.
3.2.a. 2FA authentication (⚠️ required both Password + YubiKey)
Add the line below the “@include common-auth” line.
auth required pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
@include common-auth
auth required pam_u2f.so cue [cue_prompt="Tap the YubiKey to authentica>
@include common-account
@include common-session-noninteractive
^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify
Press Ctrl+X and then Enter to save the file.
3.2.b. Passwordless login (only required YubiKey)
Add the line before the “@include common-auth” line.
auth sufficient pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
auth sufficient pam_u2f.so cue [cue_prompt="Tap the YubiKey to authe>
@include common-auth
@include common-account
@include common-session-noninteractive
^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify
Press Ctrl+X and then Enter to save the file. You can login with Password even if the YubiKey is not inserted.
➡️ Step 4: Test sudo login 2FA with YubiKey ⚠️
4.1. Remove the YubiKey
4.2. Open a new Terminal
Run the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo echo test
Even with the correct password, the authentication should fail as the YubiKey is not plugged in. If the authentication succeeds without the YubiKey, that indicates the Yubico PAM module was not installed or there is a typo in the changes you made to /etc/pam.d/sudo.
Insert your YubiKey and repeat step 4.2
If the password was accepted and you were prompted to tap on the YubiKey this time you have configured the YubiKey and system correctly and can continue on to the next section for requiring the YubiKey to login.
To disable sudo login with Yubikey, undo step 3.2.a or 3.2.b
⚠️ DO NOT CONTINUE TO STEP 5 IF YOU DIDN’T RUN THE 2FA TEST!!!
➡️ Step 5: Enable system login 2FA or Passwordless with YubiKey
5.1. Open Terminal
5.2. Edit PAM module by running the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ sudo nano /etc/pam.d/lightdm
5.2.a. 2FA authentication (required both Password + YubiKey)
Add the line below the “@include common-auth” line.
auth required pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
GNU nano 7.2 /etc/pam.d/lightdm
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
# Load environment from /etc/environment and ~/.pam_environment
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth required pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenti>
-auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify ^/ Go To Line
Press Ctrl+X and then Enter to save the file. You can’t login with Password if the YubiKey is not inserted.
5.2.b. Passwordless login (only required YubiKey)
Add the line below the “@include common-auth” line.
auth sufficient pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenticate]
Sample Terminal output:
GNU nano 7.2 /etc/pam.d/lightdm
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
# Load environment from /etc/environment and ~/.pam_environment
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_u2f.so cue [cue_prompt="Tap the YubiKey to authenti>
@include common-auth
-auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify ^/ Go To Line
Press Ctrl+X and then Enter to save the file. You can login with Password even if the YubiKey is not inserted.
➡️ Should you find this tutorial helpful, we kindly request that you consider supporting our channel by subscribing to our YouTube channel or using the affiliated links and URL shortener links provided below. Through your purchase using any of the given links, we will receive a small commission, which we will use to expand our channel and enhance our services. We appreciate your support, and we remain committed to providing you with quality content.
⚠️ FTC Disclaimerhttps://sysadmin102.com/disclaimer-ftc-affiliate-disclaimer/.
♡ Ways to support: https://sysadmin102.com/ways-to-support-my-channel/
🌐 Website: https://sysadmin102.com/
✉️ Business Inquiry: service@sysadmin102.com
© SYSADMIN102™ LLC