Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint by shaneantyr

View this thread on steempeak.com
· @shaneantyr · (edited)
Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint
https://images.duckduckgo.com/iu/?u=http%3A%2F%2Fi.ytimg.com%2Fvi%2Fv-GvJJEG9sw%2Fmaxresdefault.jpg&f=1

Trezor recently upgraded the firmware for their handy devices to include U2F functionality.   This is great for securing online resources, but what about using your Trezor and U2F to help secure Ubuntu/Mint workstations?   Is it possible to add two factor authentication to things like MDM logins and sudo?   

<h2>Warning</h2>
Be aware that if you mess things up, or don't have your Trezor handy after you finish configuring U2F on your workstation you'll be locked out.  Caveat Emptor!

<strong>Update</strong> Reddit User /u/stickac adds:

<blockquote>Cool thing about TREZOR is that you can recover the seed used to generate U2F secret, so even if you lose TREZOR you can still log in to your machine after recovery (as opposed when using other U2F tokens).</blockquote>

See: https://doc.satoshilabs.com/trezor-user/recovery.html

<h2> Installation</h2>
You'll need your Trezor be be running firmware 1.4 or greater.  See: https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af#.9ys8d47f3 for details.  Once your Trezor is ready and you'll need to add U2F authentication as an option on your machine. To do so install the needed U2F packages by running:

<blockquote>$ sudo apt-get install libpam-u2f  pamu2fcfg</blockquote>

<h2>U2F_Mappings File</h2>
Next you'll need to generate your U2F mappings file.   Plug in your Trezor and run:

<blockquote>$ pamu2fcfg -u yourusername > /tmp/u2f_mappings</blockquote>

You'll need to confirm on your Trezor at this point.

Now move the u2f_mappings file into /etc:

<blockquote>$ sudo mv /tmp/u2f_mappings  /etc/u2f_mappings</blockquote>

<h2>Configuring Pam to Use U2F</h2>
The u2f_mappings file you've put into /etc will be used by pam to add two factor authentication to your system by adding a couple of config lines to the appropriate pam files. 

Here's some of the things you'll want to add U2F authentication to:

<ul>
<li>sudo</li>
<li>login</li>
<li>su</li>
<li>mdm, lightdm or gdm</li>
<li>cinnamon-screensaver</li>
</ul>

You can see the various things on your system which require authentication by looking in /etc/pam.d/  If you're a hacker like me, you can try configuring U2F for other things using the information in this article.   If you do, I suggest trying it out on a Virtual Machine first. 

<blockquote>$ ls /etc/pam.d</blockquote>

<h1>Examples</h1>

Time to fire up your favorite text editor!

<h2>sudo</h2>

First add two factor authentication to the sudo command.

<blockquote>$ sudo emacs -nw /etc/pam.d/sudo</blockquote>

Add this at the end of the file: 
<blockquote># u2f authentication</blockquote>
<blockquote>auth       required pam_u2f.so authfile=/etc/u2f_mappings cue</blockquote>

You can test at this point by firing up another terminal and running a sudo command.  If you've done things correctly you'll be asked for your password and then prompted to "Please touch the device."  Your Trezor will also be prompting you to authorize.   Congratulations your system now requires your Trezor to run sudo.  Pretty neat eh?  

<h2>login</li>

Next lets secure login.  I don't want anyone besides me getting onto my system using a virtual console.  If you're not aware of what this means check out: https://en.wikipedia.org/wiki/Virtual_console

<blockquote>$ sudo emacs -nw /etc/pam.d/login</blockquote>

Add this at the end of the file: 
<blockquote># u2f authentication</blockquote>
<blockquote>auth       required pam_u2f.so authfile=/etc/u2f_mappings cue</blockquote>

Test by bringing up a virtual console.  Again you'll be prompted to touch your Trezor after you've authenticated.

<h2>su</h2>

By now you should see  what is being done here. Lets lock down the su command now:  https://en.wikipedia.org/wiki/Su_(Unix)

<blockquote>$ sudo emacs -nw /etc/pam.d/su</blockquote>

Add this at the end of the file: 
<blockquote># u2f authentication</blockquote>
<blockquote>auth       required pam_u2f.so authfile=/etc/u2f_mappings cue</blockquote>

You can test by running:
<blockquote>$ su yourusername</blockquote>

<h2>Conclusion</h2>
Be sure to add U2F authentication to your login and screen saver screens as well. I run GDM and Cinnamon, so I set up U2F for those.   Again, see /etc/pam.d for the config files you'll need to tweak.  As mentioned in Mike Jonesey's article, to really secure your install you should be running your disks fully encrypted, etc.

Happy Hacking!

<h2>See Also:</h2>
<ul>
<li>http://www.mr-technical.com/node/6</li>
<li>https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af#.9ys8d47f3</li>
<li>http://www.mikejonesey.co.uk/security/2fa/linux-desktop-2fa-with-pam-u2f</li>
</ul>
👍  , , , , , , ,
properties (23)
post_id1,215,027
authorshaneantyr
permlinksecure-two-factor-authentication-with-trezor-u2f-on-linux-mint
categorytrezor
json_metadata"{"image": ["https://images.duckduckgo.com/iu/?u=http%3A%2F%2Fi.ytimg.com%2Fvi%2Fv-GvJJEG9sw%2Fmaxresdefault.jpg&amp;f=1"], "links": ["https://doc.satoshilabs.com/trezor-user/recovery.html", "https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af#.9ys8d47f3", "https://en.wikipedia.org/wiki/Virtual_console", "https://en.wikipedia.org/wiki/Su_", "http://www.mr-technical.com/node/6", "http://www.mikejonesey.co.uk/security/2fa/linux-desktop-2fa-with-pam-u2f"], "tags": ["trezor", "linux", "ubuntu", "u2f", "security"]}"
created2016-10-20 15:17:54
last_update2016-10-20 18:59:48
depth0
children3
net_rshares4,771,487,174
last_payout2016-11-20 15:35:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length4,761
author_reputation0
root_title"Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (8)
@steemitboard ·
Congratulations @shaneantyr! You have received a personal award!

[![](https://steemitimages.com/70x70/http://steemitboard.com/@shaneantyr/birthday1.png)](http://steemitboard.com/@shaneantyr) Happy Birthday - 1 Year
Click on the badge to view your own Board of Honor on SteemitBoard.

For more information about this award, click [here](https://steemit.com/steemitboard/@steemitboard/steemitboard-update-8-happy-birthday)
> By upvoting this notification, you can help all Steemit users. Learn how [here](https://steemit.com/steemitboard/@steemitboard/http-i-cubeupload-com-7ciqeo-png)!
properties (22)
post_id7,093,017
authorsteemitboard
permlinksteemitboard-notify-shaneantyr-20170713t192705000z
categorytrezor
json_metadata"{"image": ["https://steemitboard.com/img/notifications.png"]}"
created2017-07-13 19:27:03
last_update2017-07-13 19:27:03
depth1
children0
net_rshares0
last_payout2017-07-20 19:27:03
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length585
author_reputation38,705,954,145,809
root_title"Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
@meddamarnoe ·
Interesting thoughts
properties (22)
post_id9,585,707
authormeddamarnoe
permlinkre-shaneantyr-secure-two-factor-authentication-with-trezor-u2f-on-linux-mint-20170808t165858722z
categorytrezor
json_metadata"{"app": "steemit/0.1", "tags": ["trezor"]}"
created2017-08-08 16:58:30
last_update2017-08-08 16:58:30
depth1
children0
net_rshares0
last_payout2017-08-15 16:58:30
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length20
author_reputation4,200,812,845
root_title"Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
@steemitboard ·
Congratulations @shaneantyr! You received a personal award!

<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@shaneantyr/birthday3.png</td><td>Happy Birthday! - You are on the Steem blockchain for 3 years!</td></tr></table>

<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@shaneantyr) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=shaneantyr)_</sub>


###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!
properties (22)
post_id77,906,506
authorsteemitboard
permlinksteemitboard-notify-shaneantyr-20190713t203832000z
categorytrezor
json_metadata{"image":["https:\/\/steemitboard.com\/img\/notify.png"]}
created2019-07-13 20:38:33
last_update2019-07-13 20:38:33
depth1
children0
net_rshares0
last_payout2019-07-20 20:38:33
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length628
author_reputation38,705,954,145,809
root_title"Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000