Over Christmas I received a Thetis u2f key. I had some issues setting it up and will document the process here.

Install Packages

First step is to install the necessary pam packages.

sudo apt update && apt install libpam-u2f

Udev Rules

For Thetis we need to setup some udev rules. I found this referenced on their support page here under “Does it support Ubuntu”. You will need to reboot after setting those rules up.

echo 'KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev"' | sudo tee /etc/udev/rules.d/thetisu2f.rules
sudo reboot

Register Key

Next register the key. It is important to do this as the user you plan to authenticate with. My one issue was that I was registering the key as root and they it wouldn’t work for sign-in or sudo.

pamu2fcfg > /tmp/u2f_keys
sudo mv /tmp/u2f_keys /etc/u2f_keys

Sudo Setup

I wanted a way to run sudo commands with either a password or the key. This way will also allow you to still sudo if something is broken with the key. Edit /etc/pam.d/sudo and add the following above the line that says @include common-auth.

auth    sufficient    pam_u2f.so   cue authfile=/etc/u2f_keys

Then save the file. Without closing your current terminal, open up another and run the following to test it.

sudo echo

You should see the following with your key blinking:

dan@ubuntu-test:~$ sudo echo
Please touch the device.

Press the key and it will authenticate sudo for you. If you wait too long, or don’t have the key plugged in it will prompt for password like normal.

Login Setup

The key can also be used for login. The file that needs to be edited it /etc/pam.d/gdm-password. Add the following line above the line that says @include common-auth.

auth    sufficient    pam_u2f.so   cue authfile=/etc/u2f_keys

Now it will prompt for your key before checking a password if it is plugged in.

Limitations

The Firefox setup on Thetis’ website didn’t work for me. It looks like they officially only support Chrome or Opera. I refuse to use those browsers so that’s a bummer. Perhaps I’ll find a way to fix that in the future. If I do I will update this post.