Add MFA to Fedora with Yubikey
This post is really meant to complement Willi Mutschler’s already excellent guidance for enabling mfa in Fedora using Yubikey hardware tokens. I enabled MFA authentication for my Fedora 34 installation just moments ago following these steps using a Yubikey 5 NFC and a backup Yubikey 5C Nano.
The end result is that I need to present my yubikey when logging into my laptop
and when elevating privileges using
I’ll reprint the relevant steps here in case Willi’s site is lost:
READ ALL OF THE FOLLOWING STEPS CAREFULLY AND TRY THEM OUT IN A VIRTUAL MACHINE BEFORE MODIFYING YOUR LIVE WORKSTATION!
DO NOT CLOSE THE TERMINAL WINDOW DURING THIS PROCESS OR RISK LOSING ACCESS TO YOUR COMPUTER! WAIT UNTIL YOU’VE VERIFIED EVERYTHING WORKS BEFORE CLOSING IT!
$ sudo dnf install yubikey-manager ykclient ykpers pam_yubico pam-u2f pamu2fcfg
Ensure PIV support is present on the Yubikey device:
$ ykman info
Use authselect to preview and apply changes:
$ sudo authselect test sssd with-pam-u2f-2fa without-nullok $ sudo authselect select sssd with-pam-u2f-2fa without-nullok
Create Yubikey config directory and enroll devices using
$ mkdir ~/.config/Yubico $ pamu2fcfg > ~/.config/Yubico/u2f_keys # When device flashes, press it to confirm association $ pamu2fcfg -n >> ~./config/Yubico/u2f_keys # Repeat enrollment with backup devices
Open a second terminal to test that everything works by confirming you’re prompted to touch the Yubikey when elevating privileges:
$ sudo echo test Please touch the device. [sudo] password for chris:
If this succeeds, then all is well and the first terminal can be closed. MFA is now enabled at gdm auth and terminal sudo!
GDM doesn’t do the best job walking one through login with U2F MFA enabled.
After selecting your username, you should see the yubikey blink (waiting for a touch) and the text “Please touch the device” displayed. Once you’ve touched the device, this message will disappear and you should now enter your password and press enter.
If you don’t see this message, unplug and re-plug your yubikey in.
If you need to disable MFA, use authselect to search for and select the minimal auth configuration:
$ sudo authselect list - minimal Local users only for minimal installations - nis Enable NIS for system authentication - sssd Enable SSSD for system authentication (also for local users only) - winbind Enable winbind for system authentication
(Optional) Preview authselect changes:
$ sudo authselect test minimal
$ sudo authselect select minimal
This command removes the MFA configuration and allows you to use your workstation as you did previously.