Using U2F for passwordless sudo

Now that I’ve got my SoloKeys working for website authentication, I’ve been looking at other things I can use them for.

Having to type my password every time I want to use sudo is tedious. I’m already logged in; all I really want to be sure of is that it’s me who initiated the priviliege escalation. Being able to effectively press an OK button would give me all the security I desire.

If you feel the same way, you can use a U2F device for this.

In a terminal, install the prerequisites (you’ll have to type your password this time, I’m afraid):

> sudo apt install libpam-u2f pamu2fcfg

Plug in your U2F device and set it up:

> mkdir -p $HOME/.config/Yubico/
> pamu2fcfg > $HOME/.config/Yubico/u2f_keys

And press the button. If you have any more keys, you can add those too (note the -n and the >>):

> pamu2fcfg -n >> $HOME/.config/Yubico/u2f_keys

Now, edit the PAM configuration to permit U2F as a sudo option. Edit /etc/pam.d/sudo and add this line before @include common-auth:

auth sufficient

Why before? Because this line says that authenticating with U2F is sufficient to permit sudo. common-auth requires a password, so if that comes first you’ll be asked for a password.

Why sufficient? This way, it doesn’t break the existing password authentication for sudo, so you can still fall back to that if you don’t have the token with you.

Save the file (without exiting, in case you made a mistake!) and open a new terminal. Type sudo echo OK with your U2F key plugged in, and you can just press the button. Try it again in another new window without the key plugged in, and you’ll get the normal password prompt.


  • SoloKeys on Ubuntu Linux

    I finally received the SoloKeys open source FIDO2 U2F security keys I ordered via their KickStarter last year.

    They’re little USB devices that you stick into your computer to act as a physical second factor when authenticating to websites (or, potentially, other software). Instead of typing in a code received via SMS or from an authenticator application, you press a button on the device and it cryptographically identifies itself.

    That’s the theory, anyway.

    More …

  • Egg Lob

    On a long solo train journey on Sunday evening, I implemented a quick and dirty web version of a Popular Word Game. I’m calling my implementation Egg Lob, for reasons that I’m sure will be obvious to players of this game.

    More …

  • Pennies

    In response to a consultation on cash and digital payments the UK government has announced that the 1p and 2p coins will not be scrapped, as had previously been suggested.

    The government can confirm that it has no plans to alter the current make up of UK coins and notes in circulation.

    Inflation has long since robbed them of a useful role, but in a country so obsessed with its imaginary glorious past (see also: Brexit), it’s easy to understand why getting rid of them is a battle no one in government wants to fight.

    More …

  • 吳’r

    On my way back to my hotel in Taipei last week, I spotted an intriguing bit of writing inside the glass of a soft toy grabber machine:

    More …

Older entries can be found in the archive.