Yubikey for "muh" sudo security

Sometimes, you want to work with webauthn through your VirtualBox, OR, use yubikey 2FA/security inside virtualbox. Well, after some while, I just managed it, so buckle up kiddos, time for a post on how to set up these things inside a virtualbox and/or your main system, whatever floats your boat. Also, how to set up that Yubikey is required for your sudo.

First off, if you’re on Linux, add your user who runs the VirtualBox to it’s group (vboxsf)

sudo gpasswd -a ___YOUR_USER_HERE___ vboxsf 

and restart your pc to that to take effect.

After that, go inside your VM settings > USB, press the “Add new USB filter”, and select your yubikey there.

Congratz, you have done most of the work, if you just want to use the webauthn in VirtualBox. if you want to check if it actually works, check it inside https://demo.yubico.com/webauthn-technical/registration

if you see it blinking like this

congratz, it’s working

Okay, woohoo. What now? Idk, just use it. Or perhaps get the black yubikey and set it up that you can’t even run SUDO without the yubikey, and the PC auto-locks when the yubikey is removed.

Well, first off, you’ll need to install pam-u2f (some Linux distros call it libpam-u2f, check to be sure) and install it

after installing that, create .config/Yubico in your home directory, to keep your yubikey config. it will be used to save info about your keys

mkdir -p ~/.config/Yubico

now, use pamu2fcg to add a yubikey

pamu2fcfg > ~/.config/Yubico/u2f_keys

your yubikey will be flashing at this point, press it and you’ll be good to go. If you inspect the u2f_keys file, you’ll see that there is something written in the file.

AND NOW, LET US DO SOME COOL SHIT, LIKE USE THE YUBIKEY FOR SUDO.

first of, open /etc/pam.d/sudo with your text editor of choice also, fun fact- if you’re thinking where is your pam_u2f, it might be located in /usr/lib/security/

sudo vim /etc/pam.d/sudo

basically, add pam_u2f.so under the previous auth block

Also, if you’re asking “wtf is system-auth”, it’s a file in /etc/pam.d/, you can check it out for more details. Save n’ quit.

guess what- you’re set now. you can check it out. open a new terminal (don’t close your current terminal, if you dun goofed, at least you can fix your mistake), take out your yubikey and try to update something, or use Sudo. Spoiler alert- you’ll fail. If you put it back in, and press it, it will work.

well, you’re kind of set. but you can also set that you need your key also in when you log in, you’ll need to edit your lightdm e.c. to do that, you’ll just need to add it under basic auth include or auth required, and it should work just fine.

Additional info: if you want to see additional info, what you can do with pam_u2f, read it here https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html

BUT HERE’S A DOOZIE- WHAT 2 DO, IF YOU DON’T WANT TO PRESS IT AGAIN AND AGAIN WHEN YOU USE SUDO?

Easy. First off, remember the u2f_keys file? in there, for each key, there’s a line like this

user:base64_string,base64_other_string,es256,+presence

If you remove +presence (just leave the last comma), and in the pam.d/sudo file add the option userpresence=0 at the end of the pam_u2f.so, you’ll just do that.

if you are afraid to fuck up the u2f_keys file, just run pamu2fcfg > ~/.config/Yubico/u2f_keys -P (to be fair, there are a lot of other useful stuff, read the man pages for pamu2fcfg, it will help you out a lot)

Anyslut- it is what it is. use this information as you want and go nuts. Hope that this information helps.