Authenticating with GDM and sudo with a U2F security key on Ubuntu 22

This should be applicable to any supported security key, but I'm using a VinCSS.

Use fido2-token command to manage your device.

First, you'll need some packages:

sudo apt install pamu2fcfg pam-u2f

Then you'll need to generate the key mapping(s) (I believe you can do this multiple times for multiple security keys):

pamu2fcfg > ~/'u2f_keys'

And then move it so it can be used for centralized authentication:

sudo mv ~/'u2f_keys' '/etc/u2f_mappings'

To use it with GDM/GNOME, you need to edit this file:

sudo -e '/etc/pam.d/gdm-password'

And add the following line underneath the pam_selinux_permit.so entry (or @include common-auth):

auth        sufficient    pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=0 userverification=1

And for sudo, it's a similar process; edit the following file:

sudo -e '/etc/pam.d/sudo'

And add a similar at line 2 then comment out the line @include common-auth:

auth       sufficient   pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=0 userverification=1

• If the security key is inserted, you'll be prompted to "touch" the device for both GDM log-in and sudo use over Terminal. The sufficient line makes it optional though, and if it isn't inserted, or the device isn't touched within the time limit, it will then go to the traditional password prompt.

• Changing sufficient to required makes both the security key and traditional password required. It'll be more secure, but I personally don't really want to authenticate with both. This can also prevent log-in if you don't have or lose the security key(s).

• If you want to be prompted to insert your security key before authentication (the video above shows how the prompt is presented for GDM/GNOME), you can add interactive before or after cue in one or both of the pam.d config files mentioned above, and separate them by a space (so it'd look like authfile=/etc/u2f_mappings cue interactive). You can also add any other pam_u2f-specific flags (like debug) that way too.

• When using the security key with GDM at first log-in after boot, the GNOME keyring isn't unlocked. Assuming a standard set-up is used, the keyring will have the same password as your user password, and you'll have to manually enter that. Currently, I don't believe there's a method to authenticate with PAM and the GNOME keyring. One way to avoid this is to use the keyring without a password, but this is insecure (passwords in the keyring are stored plain-text).

• And on a slightly related note, the Solo key (and likely other keys) can also be used for U2F on other websites through Firefox. On Fedora 29, no udev rule is necessary, and with Firefox, you need to set security.webauth.u2f to true (in about:config or user.js). Here's how it looks with GitHub.

• The above instructions imply a single-user logging in with a security key. For multiple users, I believe you can create the u2f_keys file for that user, and then append entries from it to the centralized login /etc/u2f_mappings file (I haven't tested this)