Hello All !
I have configured Nitrokey 3a NFC using following documentation:“Desktop Login And Linux User Authentication - Nitrokey Documentation”, and keys are generated and save in u2f_keys file.
As I have two users accounts in my pc, one is granted as administrative level, while other is not.
However, I did not get required results, have 2 issues ,which are as follow:
- sudo command: If Nitrokey does not attach to my PC, all sudo commands in ubuntu PC executes normally at administrative level without asking Nitrokey authentication( note: this is not my desired output).
But if i attach nitrokey to system it asks for nitrokey authentication by touching it. (which is perfectly fine).
so I want any sudo command should be executed only when Nitrokey is attached to my PC and verify it authentication. Without Nitrokey it should not execute. so how to achieve this?
2.Login : As login page of my user account ,system asks for username and pin if I connect Nitrokey on my PC before login. I am unable to get what should I enter because I don’t know how to set username and password for Nitrokey 3a a my login page. but if i dont attach nitrokey my account login as normal way don’t ask for Nitrokey to attach first.
My question is, how to set my device for login access?
To your second question: the nitrokey does not store the username, but secures the authentication. The pamu2cfg command is used to tell the system which user has a (nitro)key for that authentication, so it can be used when that user (which you select on the login screen, or console) can authenticate with it.
To your first question: your result appears ok for the described setup. Now have a read at the final section of the guide “PAM Modules”. It describes how you can lock-down the configuration for requiring the nitrokey.
If you want to lock-down authentication so that the nitrokey is always needed for sudo commands, my advice is:
- first practise how to boot a recovery system (e.g. live-usb) to mount your real system in order to fix any mistakes in the configuration you (or a scripted system update…) might make.
- Consider first setting up requisite nitrokey-authentication for the graphical gdm-password PAM module only. If you modify this PAM configuration only, you can still login via a terminal (ctrl-alt-2 etc) with the sudo user and password to make changes in case your graphical nitrokey-login does not work as expected.
- Optionally you can leave the configuration you already performed via the documentation steps (for the common-auth configuration file) in place for now. But don’t try to lock it down unless you are sure about (1) - and please confirm this in a reply. Also please state which distribution you are using (Ubuntu?).
Thank you so much ion.
I am using Ubuntu 22.04.3 LTS (jammy jelly fish).
My first question has been resolved. I got to knw it was due to configuration commands i set up.i.e.,( auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok).
As for second question is concerned ,let me clear my scenario.
Case1: If I first plug nitrokey in USB port and then on my pc ,the login page ask for username and pin for smart card. (note: I don’t know what to enter in such case, dont know username and pin).
I want to ask what configuration should i do to remove this .
Case2: If I first on my PC and let the pc to make user login page comes first, then I plug nitrokey, then it works fine like it first asks for nitrokry authentication and then ask user login credentials (this case works perfectly fine and according to my requirement ).
My question is why it appears different scenarios when i plug nitrokey before to start PC than to plug nitrokey after userlogin page appears.
Ok. What you describe for Case1 sounds to me like there may be an Ubuntu automatism to unlock the detected smartcard on the nitrokey at boot. The smartcard is a different feature and not related to the u2f_keys you setup for login. It also has a separate PIN, check nitrokey’s documentation how to set the smartcard up (it has a default PIN). An Ubuntu automatism might try to access it, because it could contain a key e.g. to unlock disk encryption. (I’m guessing from what you describe.)
What you can do is test by following the second bullet in the “PAM Modules” documentation section to change your key-authentication line as is from common-auth over to gdm-password. If you try this and still have the same behaviour for case1, my guess is right.