In this article, I will show you how to protect sudo commands and a logging process on Debian-based Linux distros. Firstly, you should have at least two Yubikeys with the OTP function. The first is for a daily use and the additional is for emergency access (e.g. if you lost your primary Yubikey). It is important to know that if you lost both of them, you would not be able to log in or execute any sudo command. The OTP is a kind of one-time password which is generated by the Yubikey when it is touched or plugged into a USB slot. You can find more information about OTP on Yubico OTP.
Protect a sudo command
Open a terminal and install the libpam-u2f package.
sudo apt-get install libpam-u2fInsert your first Yubikey into a USB slot and run commands as below.
# This directory probbably has been already created after the libpam-u2f install
mkdir -p ~/.config/Yubico
# Add the first Yubikey.
2pamu2fcfg > ~/.config/Yubico/u2f_keysInsert next Yubikey and add it.
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Edit the sudo configuration file as below.
# Edit a sudo file.
nano /etc/pam.d/sudo
# Add this line after the "@include common-auth".
auth required pam_u2f.soThat’s all! Until now, any sudo command must be confirmed by pressing the Yubikey button.
Require a Yubikey for login
If you would like to protect your log in access with a Yubikey, you should add keys as it was described previously and edit the gdm-password configuration file as below.
# Edit the gdm-password file.
sudo nano /etc/pam.d/gdm-password
# Add this line after the "@include common-auth".
auth required pam_u2f.soUntil now any log in attempt must be confirmed by pressing the Yubikey button.