「Universal 2nd Factor」の版間の差分
Kusanaginoturugi (トーク | 投稿記録) (英語版より転載) |
Kusanaginoturugi (トーク | 投稿記録) (リンクを追加) |
||
1行目: | 1行目: | ||
[[Category:Universal 2nd Factor]] |
[[Category:Universal 2nd Factor]] |
||
+ | [[en:Universal 2nd Factor]] |
||
[[Wikipedia:Universal 2nd Factor|Universal 2nd Factor (U2F)]] is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. |
[[Wikipedia:Universal 2nd Factor|Universal 2nd Factor (U2F)]] is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. |
||
2021年5月16日 (日) 12:18時点における版
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards.
While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.
For all articles on U2F and U2F-devices see: Category:Universal 2nd Factor.
目次
Authentication for websites
U2F is supported by major sites like Google, Facebook, Twitter, or GitHub. Check out twofactorauth.org or dongleauth.info to find other websites and links to setup documentation. For all browsers which support it, likely the only action required is to install libfido2. Yubico offers a demo page for testing.
Firefox
Firefox/Tweaks#Fido U2F authentication
Chromium/Chrome
Chromium/Tips and tricks#U2F authentication
Authentication for Arch Linux
Yubico, the company creating the YubiKey, develops an U2F PAM module. It can be used to act as a second factor during login or replace the need for a password entirely.
Installing the PAM module
The module is part of the package pam-u2f.
Adding a key
Keys need to be added with the tool pamu2fcfg
:
$ mkdir ~/.config/Yubico $ pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
Click the button of your U2F key to confirm the key.
If you own multiple keys, append them with
$ pamu2fcfg -o pam://hostname -i pam://hostname -n >> ~/.config/Yubico/u2f_keys
Passwordless sudo
Open /etc/pam.d/sudo
and add
auth sufficient pam_u2f.so origin=pam://hostname appid=pam://hostname
as the first line. Be sure to replace the hostname
as mentioned above. Then create a new terminal and type sudo ls
. Your key's LED should flash and after clicking it the command is executed.
GDM login
Open /etc/pam.d/gdm-password
and add
auth required pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname
after the existing auth
lines. Please note the use of the nouserok
option which allows the rule to fail if the user did not configure a key. This way setups with multiple users where only some of them use a U2F key are supported.
Other authentication methods
Enable the PAM module for other services like explained above. For example, to secure the screensaver of Cinnamon, edit /etc/pam.d/cinnamon-screensaver
.
Troubleshooting
If you managed to lock yourself out of the system, boot into recovery mode or from a USB pen drive. Then revert the changes in the PAM config and reboot.
OpenSSH
OpenSSH supports FIDO/U2F hardware tokens natively since 8.2. Both the client and server must support the ed25519-sk key types. Generate a security key backed key pair with:
$ ssh-keygen -t ecdsa-sk