Now that I’ve got my SoloKeys working for website authentication, I’ve been looking at other things I can use them for.

Having to type my password every time I want to use sudo is tedious. I’m already logged in; all I really want to be sure of is that it’s me who initiated the privilege escalation. Being able to effectively press an OK button would give me all the security I desire.

If you feel the same way, you can use a U2F device for this.

In a terminal, install the prerequisites (you’ll have to type your password this time, I’m afraid):

sudo apt install libpam-u2f pamu2fcfg

Plug in your U2F device and set it up:

mkdir -p $HOME/.config/Yubico/
pamu2fcfg > $HOME/.config/Yubico/u2f_keys

And press the button. If you have any more keys, you can add those too (note the -n and the >>):

pamu2fcfg -n >> $HOME/.config/Yubico/u2f_keys

Now, edit the PAM configuration to permit U2F as a sudo option. Edit /etc/pam.d/sudo and add this line before @include common-auth:

auth sufficient pam_u2f.so cue

Why before? Because this line says that authenticating with U2F is sufficient to permit sudo. common-auth requires a password, so if that comes first you’ll be asked for a password.

Why sufficient? This way, it doesn’t break the existing password authentication for sudo, so you can still fall back to that if you don’t have the token with you.

Save the file (without exiting, in case you made a mistake!) and open a new terminal. Type sudo echo OK with your U2F key plugged in, and you can just press the button. Try it again in another new window without the key plugged in, and you’ll get the normal password prompt.