Joined: 30 Aug 2002
|Posted: Thu Nov 15, 2018 10:44 pm Post subject: Setting up U2F
|I originally wanted to activate FIDO standard U2F tokens for the gmail account I use for my phone as it has a number of financial services tied to it. I purchase the Google Titan bundle. I tried following the Use a security key for 2-step Verification instructions. The I reach the 'ADD SECURITY KEY' step, it always fails.
I then found Google's Add a Titan Security Key on a Linux system. This is apparently old and incorrect information. The ATTRS in the suggested /etc/udev/rules.d file don't match the actual values in the shipped security tokens I received.
Instead, the libu2f-host/70-u2f.rules file listed the yubico github project do contain udev rules which contain ATTRS values matching the pair of tokens I received.
I also read the Gentoo Wiki pam_u2f article and verified everything to using dmesg to check the proper installation of installation of the pam_u2f module:
|[ 1946.920987] usb 4-1: new full-speed USB device number 5 using ohci-pci
[ 1947.105039] usb 4-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00
[ 1947.105042] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1947.105043] usb 4-1: Product: U2F
[ 1947.105045] usb 4-1: Manufacturer: FT
[ 1947.113377] hid-generic 0003:096E:0858.0007: hiddev98,hidraw3: USB HID v1.00 Device [FT U2F] on usb-0000:00:13.0-1/input0
As I read the wiki article, for those computer logins for which I define using a security key will require having my security token plugged in before I can log into the account (global mapping - /etc/u2f_mappings/u2f_keys):
or alternatively (per user mapping - ~/.config/Yubico/u2f_keys)
The use case above implies username1 and username2 are two accounts using the same set of security keys while username3 uses a different set of security keys.
For the global u2f mapping case, the intended modification to /etc/pam.d/system-local-login would be to add:
|auth required pam_u2f.so authfile=/etc/u2f_mappings nouserok |
This implies only those users whose username appears in /etc/u2f_mappings/u2f_keys would require having their security key plugged in.
There are several things I'm still not understanding with this.
- I have several pc login accounts I want secured with the same security key. I haven't seen a good example of a /etc/u2f_mappings/u2f_key file demonstrating this use case. Based on the Gentoo wiki article, I think I need to plug in the first set of security tokens (1,2), and issue pamu2fcfg commands like so:
then replace the first set of security tokens with the second set of security tokens (A,B) and issue the command:
|pamu2fcfg -u<username1> >> /etc/u2f_mappings/u2f_keys
pamu2fcfg -u<username2> >> /etc/u2f_mappings/u2f_keys
|pamu2fcfg -u<username3> >> /etc/u2f_mappings/u2f_keys |
Once I've registered the keys (via pamu2fcfg), I still can't make the connection between my PC account login and my website logins such as for google. I still cannot complete Google's Add a Security Key step. Do I need to login on one of my PC accounts that will require a security token first before trying to add a security token to any of my web accounts?
As I read both the Wiki article and Google's instructions, it seems that using a security token for PC logins and website logins are supposed to be independent of one another. i.e. I can use a security token just to secure web accounts without having to use pam_u2f.
Some guidance would be appreciated.
I'm a little hesitant to go further because I don't want to lock myself out of any of my pc or web accounts.
My use case includes multiple pc accounts on the same initial pair of security keys, other pc accounts on an independent pair of security keys, remote pc logins on multiple accounts via x2go and multiple web accounts. I have some need to be able to access certain specific web accounts from pc accounts which will be secured with differing pairs of security keys.
People whom think M$ is mediocre, don't know the half of it.