Using U2F for passwordless sudo
Now that I’ve got my SoloKeys working for website authentication, I’ve been looking at other things I can use them for.
Having to type my password every time I want to use
sudo is tedious. I’m
already logged in; all I really want to be sure of is that it’s me who
initiated the privilege escalation. Being able to effectively press an OK
button would give me all the security I desire.
If you feel the same way, you can use a U2F device for this.
In a terminal, install the prerequisites (you’ll have to type your password this time, I’m afraid):
> sudo apt install libpam-u2f pamu2fcfg
Plug in your U2F device and set it up:
> mkdir -p $HOME/.config/Yubico/ > pamu2fcfg > $HOME/.config/Yubico/u2f_keys
And press the button. If you have any more keys, you can add those too (note
-n and the
> pamu2fcfg -n >> $HOME/.config/Yubico/u2f_keys
Now, edit the PAM configuration to permit U2F as
a sudo option. Edit
/etc/pam.d/sudo and add this line before
auth sufficient pam_u2f.so
Why before? Because this line says that authenticating with U2F is sufficient
common-auth requires a password, so if that comes first
you’ll be asked for a password.
sufficient? This way, it doesn’t break the existing password
sudo, so you can still fall back to that if you don’t have
the token with you.
Save the file (without exiting, in case you made a mistake!) and open a new
sudo echo OK with your U2F key plugged in, and you can just
press the button. Try it again in another new window without the key plugged
in, and you’ll get the normal password prompt.