Solo1 Ubuntu passwordless login #628

Open JacobMarino1900 opened 1 year ago

JacobMarino1900 commented 1 year ago

Hi so I have been working on setting up my solo1 keys i just got, i have them fully working on my Windows 10 system and now am trying to set them up on my ubuntu laptop, I read in the Application ideas section of the solokeys docs that you can enable a passwordless login to the computer by editing the lightdm file, i used vim to edit the lightdm file just as the documentation says above the @include common-auth section and used the "sufficient" variable to be able to login with my solokey or with a password, but when i save the changes and logout and go to log back in to test it, my solokey stays flashing green and there is no prompt to use the solokey to login only the enter password prompt, i tried changing the line where auth sufficient is placed (above common auth and below common-auth too just to check) but I still can't manage to get passwordless login with the preference to login primarily with the solokey, maybe i am missing something small i'm not sure, any help thanks!!!!!

ajxn commented 1 year ago

Ubuntu doesn't use lightdm does it?

I have added this to my /etc/pam.d/common-auth to add so that I also need the key to login, not just password. and it works in any program that uses pam and need to authorization (log in). Notice that I have only copied parts of the file, so you need to edit it, not copy. The comments about u2f should be enough to add this yourself. But choose either sufficent in the beginning, that is commented out, or required in the end.

Also notice that you need to create the u2f_keys files with pamu2fcfg before you can continue.

# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

# u2f done early.  If right device installed, skipp rest (jxn)
#auth    sufficient cue

auth    [success=3 default=ignore] max_tries=1 timeout=10 # debug
auth    [success=2 default=ignore] nullok try_first_pass
auth    [success=1 default=ignore] use_first_pass
# here's the fallback if no module succeeds
auth    requisite 
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required  
# and here are more per-package modules (the "Additional" block)
auth    optional   
# end of pam-auth-update config

# test u2f
# Create key - pamu2fcfg > ~/.config/Yubico/u2f_keys
# sufficient - may use, set early
# required   - must use. set late
#auth    sufficient cue
auth    required   cue

Also recommended to have to keys, so you can just concatenate the output of pamu2fcfg with the second key, like pamu2fcfg >> u2f_keys, or put them in different files, and then just concatenate them together like this: cat >usf_keys. Then you have the keys there when you need them.