Secure Two-Factor Authentication with TREZOR — U2F on Linux Mint

Trezor recently upgraded the firmware for their handy devices to include U2F functionality. This is great for securing online resources, but what about using your Trezor and U2F to help secure Ubuntu/Mint workstations? Is it possible to add two factor authentication to things like MDM logins and sudo?


Be aware that if you mess things up, or don't have your Trezor handy after you finish configuring U2F on your workstation you'll be locked out. Caveat Emptor!

Update Reddit User /u/stickac adds:

Cool thing about TREZOR is that you can recover the seed used to generate U2F secret, so even if you lose TREZOR you can still log in to your machine after recovery (as opposed when using other U2F tokens).



You'll need your Trezor be be running firmware 1.4 or greater. See: for details. Once your Trezor is ready and you'll need to add U2F authentication as an option on your machine. To do so install the needed U2F packages by running:

$ sudo apt-get install libpam-u2f pamu2fcfg

U2F_Mappings File

Next you'll need to generate your U2F mappings file. Plug in your Trezor and run:

$ pamu2fcfg -u yourusername > /tmp/u2f_mappings

You'll need to confirm on your Trezor at this point.

Now move the u2f_mappings file into /etc:

$ sudo mv /tmp/u2f_mappings /etc/u2f_mappings

Configuring Pam to Use U2F

The u2f_mappings file you've put into /etc will be used by pam to add two factor authentication to your system by adding a couple of config lines to the appropriate pam files.

Here's some of the things you'll want to add U2F authentication to:

  • sudo
  • login
  • su
  • mdm, lightdm or gdm
  • cinnamon-screensaver

You can see the various things on your system which require authentication by looking in /etc/pam.d/ If you're a hacker like me, you can try configuring U2F for other things using the information in this article. If you do, I suggest trying it out on a Virtual Machine first.

$ ls /etc/pam.d


Time to fire up your favorite text editor!


First add two factor authentication to the sudo command.

$ sudo emacs -nw /etc/pam.d/sudo

Add this at the end of the file:

# u2f authentication
auth required authfile=/etc/u2f_mappings cue

You can test at this point by firing up another terminal and running a sudo command. If you've done things correctly you'll be asked for your password and then prompted to "Please touch the device." Your Trezor will also be prompting you to authorize. Congratulations your system now requires your Trezor to run sudo. Pretty neat eh?


Next lets secure login. I don't want anyone besides me getting onto my system using a virtual console. If you're not ware of what this means check out:

$ sudo emacs -nw /etc/pam.d/login

Add this at the end of the file:

# u2f authentication
auth required authfile=/etc/u2f_mappings cue

Test by bringing up a virtual console. Again you'll be prompted to touch your Trezor after you've authenticated.


By now you should see what is being done here. Lets lock down the su command now:

$ sudo emacs -nw /etc/pam.d/su

Add this at the end of the file:

# u2f authentication
auth required authfile=/etc/u2f_mappings cue

You can test by running:

$ su yourusername


Be sure to add U2F authentication to your login and screen saver screens as well. I run GDM and Cinnamon, so I set up U2F for those. Again, see /etc/pam.d for the config files you'll need to tweak. As mentioned in Mike Jonesey's article, to really secure your install you should be running your disks fully encrypted, etc.

Happy Hacking!

See Also:

Google End to End (Encryption) Extension Build

Mr Technical has a build of Google's End to End Chrome extension available for those interested in trying it out. The software is offered as is without any kind of warranty.

For how to load unpacked extensions in Chrome see:
For more info on Google End to End see:

"“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)

Once we feel that the extension is ready for primetime, we’ll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider.

We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.

You can find more technical details describing how we've architected and implemented End-to-End here."

Subscribe to Mr. Technical RSS