Ask Your Question
0

Secure TTY with U2F (Yubikey)

asked 2017-02-03 08:55:26 -0500

AquaL1te gravatar image

updated 2017-02-05 21:42:48 -0500

florian gravatar image

Hi,

I've secured my GNOME session with U2F as mentioned here. But to me it seems useless as long as the TTY's are unprotected. Someone with my password would otherwise be able to login (as root), see my files and may also decide to remove the PAM entries for full access to my active sessions in the GUI.

I've tried to add the pam_u2f.so to system-auth, password-auth and login, without success. I also tried many other files which I don't recall specifically. I'm basically guessing where to put it and on which line. Can someone point me perhaps to the right direction? What I want to know is which PAM file should I edit in order to activate the U2F for TTY logins and of course on which line. I've tried a lot and I can't find any relevant information about it.

This is what my pam.d contains:
/etc/pam.d/
├── atd
├── chfn
├── chsh
├── config-util
├── crond
├── cups
├── fingerprint-auth -> fingerprint-auth-ac
├── fingerprint-auth-ac
├── gdm-autologin
├── gdm-fingerprint
├── gdm-launch-environment
├── gdm-password
├── gdm-pin
├── gdm-smartcard
├── ksu
├── liveinst
├── login
├── mock
├── other
├── passwd
├── password-auth -> password-auth-ac
├── password-auth-ac
├── polkit-1
├── postlogin -> postlogin-ac
├── postlogin-ac
├── ppp
├── remote
├── runuser
├── runuser-l
├── setup
├── smartcard-auth -> smartcard-auth-ac
├── smartcard-auth-ac
├── smtp -> /etc/alternatives/mta-pam
├── smtp.postfix
├── sshd
├── sssd-shadowutils
├── su
├── sudo
├── sudo-i
├── su-l
├── system-auth -> system-auth-ac
├── system-auth-ac
├── systemd-user
├── vlock
├── vmtoolsd
└── xserver

My laptop has full-disk encryption, so please spare me the physical access argument in terms of security ;-) Using Fedora 25.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2017-02-06 05:43:40 -0500

AquaL1te gravatar image

I 'fixed' it for now by disabling the other TTY's.

Bij default the number of TTY's spawned is a maximum of 6.

crudini --get /etc/systemd/logind.conf Login NAutoVTs
6

I limited it to 1, so that there is no way someone could use it (until I can figure out how to manage the logins with PAM and U2F). The command below will set the maximum amount of spawned TTY's to 1, meaning just your GDM session.

crudini --set /etc/systemd/logind.conf Login NAutoVTs 1
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-02-03 08:55:26 -0500

Seen: 246 times

Last updated: Feb 03 '17