Ubuntu – Use of Yubikey Neo for login 2FA and lock screen

14.04lightdmlock-screenudev

I want to use my Yubikey Neo to login to Ubuntu 14.04. In addition, it would be convinient if the screen is locked automatically everytime I unplug the Yubikey.

Best Answer

First, we need to configure the Yubikey for challenge response. A good manual for Linux is given by Yubico under https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html

Now you should be able to use your yubikey for authentification at login. One convenient piece is missing: The automatic lock of the screen when die Yubikey is removed.

I adapted slightly the HowTo from the Yubico forums (http://forum.yubico.com/viewtopic.php?f=23&t=1143) to match with LightDM in 14.04 and the Yubikey Neo.

First of all, create a new file with the commands to lock the screen when the Yubikey is not present:

sudo nano /usr/local/bin/yubikey

Write the following into the file:

#!/bin/bash 
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.

if [ -z "$(lsusb | grep Yubico)" ]; then
        logger "YubiKey Removed or Changed"
        # Running the LightDM lock command
        export XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" 
        /usr/bin/dm-tool lock
fi

The biggest differences to the original file is the use of the dm-tool (for locking the screen with lightdm) and the search term Yubico, since the Yubikey Neo is registered with „Yubico.com“ in lsusb.

Close and save the file. In addition, we have to make the file executable:

sudo chmod +x /usr/local/bin/yubikey

Next, we have to find the properties of the Yubikey for a proper assignment.

For this the USB descriptor must be activated. Details can be found on the Yubico forum.

In a new terminal type in the command

udevadm monitor --environment --udev

Now you (un-)plug your yubikey and get a list of Ids. Looking for

ID_VENDOR_ID
ID_MODEL_ID
ID_SERIAL_SHORT

They will be used in the udev file for recognition of the Yubikey.

Hint: The vendor ID changes if you reconfigure the stick (e.g. with CCID)

Furthermore, create a file with

sudo nano /etc/udev/rules.d/85-yubikey.rules

and type the following

# Yubikey Udev Rule: running a bash script in case your Yubikey is removed 
ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"

Change the ID according to your key. Note: You can add more yubikey by simple copy paste the line with other Ids!

Close and save the file. Finally, the udev service has to reload the rules:

sudo udevadm control --reload-rules
sudo service udev reload