Solo
The Solo is an open-source FIDO2 security key. This article describes how to set up and use it.
Contents
Introduction
The Solo (or SoloKey) is a small USB Security token supporting Universal 2nd Factor (U2F) requests, thus acting as a second factor for authentication. It also supports the newer FIDO2 standard allowing for passwordless logins.
Compared to a YubiKey it offers less features but supports firmware upgrades to extend the functionality in the future. Both hardware and software are released as open source.
Installation
Special drivers are not required for the key to work. It is recommended to install the Solo software and upgrade the firmware of your Solo.
Upgrading the firmware
Managing your Solo, e.g. upgrading the firmware or setting a PIN, requires the solo-pythonAUR package. After installing the package, first check if your key is detected.
$ solo ls
:: Solos 123456XXXXXX: SoloKeys Solo 3.0.1
Then you can use solo key update
to perform a firmware upgrade, solo key set-pin
to set a PIN, and solo key change-pin
to change your pin.
Test the Solo in your browser
Visit the Webauthn demo, type in a username and click on "Register". Your Solo's LED will flash until you click it. After that, you can login to the page only using your Solo, no need for username or password.
Authentication for websites
U2F is supported by major sites like Google, Facebook, Twitter, or GitHub. Check out twofactorauth.org or dongleauth.info to find other websites and links to setup documentation.
Authentication for Arch Linux
Yubico, the company creating the YubiKey, develops an U2F PAM module. It can be used to act as a second factor during login or replace the need for a password entirely.
Installing the PAM module
The module is part of the package pam-u2f.
Adding a key
Keys need to be added with the tool pamu2fcfg
:
$ mkdir ~/.config/Yubico $ pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
Click the button of your Solo to confirm the key.
hostname
with the actual hostname.If you own multiple keys, append them with
$ pamu2fcfg -o pam://hostname -i pam://hostname -n >> ~/.config/Yubico/u2f_keys
Passwordless sudo
sudo -s
). This way you can revert any changes if something goes wrong.Open /etc/pam.d/sudo
and add
auth sufficient pam_u2f.so origin=pam://hostname appid=pam://hostname
as the first line. Be sure to replace the hostname
as mentioned above. Then create a new terminal and type sudo ls
. Your Solo's LED should flash and after clicking it the command is executed.
GDM login
Open /etc/pam.d/gdm-password
and add
auth required pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname
after the existing auth
lines. Please note the use of the nouserok
option which allows the rule to fail if the user did not configure a key. This way setups with multiple users where only some of them use a Solo are supported.
u2f_keys
file is unavailable. In this case use a central mapping file as explained in the official documentation of pam-u2f.Other authentication methods
Enable the PAM module for other services like explained above. For example, to secure the screensaver of Cinnamon, edit /etc/pam.d/cinnamon-screensaver
.
Troubleshooting
If you managed to lock yourself out of the system, boot into recovery mode or from a USB pen drive. Then revert the changes in the PAM config and reboot.