Complete FIDO2 Integration with Fedora Luks2, Unlock, GUI Login, and Sudo Auth

Project Discussion
1

Fedora 42 FIDO2 Security Key Integration Report
Prepared by: Joe Murphy
Affiliation: Cybersecurity Student, Spokane Falls Community College
Email: xxxxxxxx@bigfoot.spokane.edu

Date: May 19, 2025

This report details the integration of an Identiv uTrust FIDO2 security key with Fedora 42 to enable secure authentication for LUKS2 full disk encryption (FDE), graphical login (LightDM + Cinnamon), sudo elevation, and Polkit-based privilege escalation. Tested on a Dell Latitude E6430, the setup uses PIN and touch verification for enhanced security. The process is secure, reproducible, and ideal for instructional cybersecurity labs. Readers must use non-production systems, back up critical files, and prepare recovery mechanisms (e.g., live USB or TTY access) to avoid system lockout from misconfiguration.

Executive Summary

This guide provides a comprehensive walkthrough for integrating a FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:
• LUKS2 full disk encryption (FDE)
• Graphical login (LightDM + Cinnamon)
• Sudo elevation

Background

FIDO2 (Fast Identity Online 2) is a modern standard for secure, passwordless, or multi-factor authentication using hardware tokens. It improves upon U2F by supporting public key cryptography with optional PIN and biometrics. LUKS2 (Linux Unified Key Setup 2) is a full-disk encryption format that supports multiple unlock methods, including FIDO2 tokens. Polkit (PolicyKit) manages system-wide privileges for graphical and terminal-based actions. This guide combines these technologies to ensure end-to-end system security from boot through desktop use and administrative tasks.
System Overview
Hardware and Software
• Architecture: x86_64
• CPU: Intel Core i7
• Kernel: 6.14.6-300.fc42.x86_64
• Fedora Version: Fedora 42 (Adams)
• Desktop Environment: Cinnamon with LightDM
• FIDO2 Key: Identiv uTrust FIDO2 Security Key
◦ Vendor/Product: 0x04e6:0x5a11
◦ Protocol: CTAP2 / FIDO_2_0
◦ PIN: Required
◦ User Presence (Touch): Required
◦ User Verification: PIN only (biometrics not supported)
◦ Device Path: /dev/hidraw0

• Disk Setup: Btrfs on LUKS2 FDE (/dev/sda3)
    ◦ LUKS UUID: de8d801b-9b41-4112-XXXXXXXX
    ◦ Keyslots:
        ▪ 0: Passphrase (argon2id)
        ▪ 1, 2: FIDO2 credentials (pbkdf2)

Process Flow Overview The integration process involves system preparation, package installation, FIDO2 key enrollment, PAM and Polkit configuration, and thorough testing. A flowchart (not included here) outlines these phases.

Implementation Guide

Phase 1: System Preparation

  1. Perform a clean installation of Fedora 42 (Workstation or Custom Spin with Cinnamon + LightDM).
  2. During partitioning, ensure:
    ◦ Full Disk Encryption (FDE) using LUKS2 (Btrfs or ext4)
    ◦ No separate /home partition
    ◦ No auto-login enabled
    ◦ An admin user account is created (e.g., yourusername)
  3. Update the system: sudo dnf upgrade --refresh -y

Phase 2: Package Installation
Install required development and security packages: sudo dnf install -y
gcc make cmake git autoconf automake libtool
pam-devel systemd-devel glibc-devel openssl-devel
libfido2 libfido2-devel fido2-tools u2f-host pam-u2f
pcsc-lite pcsc-lite-ccid pcsc-tools ccid opensc
authselect cryptsetup pam_passwdqc fprintd-pam gnome-keyring-pam
Enable and start the PC/SC daemon for smartcard support: sudo systemctl enable --now pcscd

Phase 3: FIDO2 Key Setup

  1. Insert the FIDO2 key and verify detection: lsusb fido2-token -L fido2-token -I /dev/hidraw0 Expected output: Identiv uTrust FIDO2 (0x04e6:0x5a11) with options rk, clientPin.
  2. If the key isn’t recognized:
    ◦ Ensure /dev/hidraw0 exists.
    ◦ Load kernel modules: sudo modprobe hid sudo modprobe hid_generic
    ◦ Replug the key.
  3. If FIDO_ERR_INTERNAL (-9) occurs:
    ◦ Create the plugdev group: sudo groupadd plugdev sudo usermod -aG plugdev $USER
    ◦ Apply a udev rule: echo ‘KERNEL==“hidraw*”, ATTRS{idVendor}==“04e6”, ATTRS{idProduct}==“5a11”, TAG+=“uaccess”, GROUP=“plugdev”’ | sudo tee /etc/udev/rules.d/70-u2f.rules sudo udevadm control --reload-rules && sudo udevadm trigger
    ◦ Reboot.
  4. Enroll the FIDO2 key for LUKS2: sudo systemd-cryptenroll --fido2-device=/dev/hidraw0 --fido2-with-client-pin=yes /dev/sda3
  5. Validate enrollment: sudo cryptsetup luksDump /dev/sda3
  6. Update /etc/crypttab: sudo nano /etc/crypttab Add or modify: luks-de8d801b-9b41-4112-XXXXXXXX UUID=de8d801b-9b41-4112-XXXXXXXX none fido2-device=auto fido2-with-client-pin=yes discard

Phase 4: PAM Configuration

  1. Fedora’s pam-u2f package lacks pamu2fcfg. Build it from source: git clone GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2 cd pam-u2f mkdir build && cd build cmake -DBUILD_MANPAGES=OFF .. make sudo cp ./pamu2fcfg/pamu2fcfg /usr/local/bin/ sudo chmod +x /usr/local/bin/pamu2fcfg
  2. Generate U2F mapping: pamu2fcfg -n -u $(whoami) -o pam://fedora | sudo tee /etc/u2f_mappings Verify output includes +presence+pin (e.g., yourusername:3aaOH5…Base64…,M9hAf2…==,es256,+presence+pin).
  3. Set permissions: sudo chmod 600 /etc/u2f_mappings sudo chown root:root /etc/u2f_mappings
  4. Back up PAM files: mkdir -p ~/fido2-audit/pam sudo cp /etc/pam.d/{sudo,lightdm,cinnamon-screensaver,system-auth,password-auth,polkit-1} ~/fido2-audit/pam/
  5. Patch PAM files (/etc/pam.d/sudo, /etc/pam.d/lightdm, /etc/pam.d/cinnamon-screensaver): #!/bin/bash FILES=(/etc/pam.d/sudo /etc/pam.d/lightdm /etc/pam.d/cinnamon-screensaver) for FILE in “${FILES[@]}”; do sudo cp “$FILE” “$FILE.bak.$(date +%s)” sudo sed -i ‘/pam_u2f.so/d’ “$FILE” sudo sed -i ‘/^auth.*include.*system-auth/i auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1’ “$FILE” done

Phase 5: Polkit Configuration

  1. Configure Polkit to use FIDO2 via PAM:
    ◦ Edit /etc/pam.d/polkit-1: sudo nano /etc/pam.d/polkit-1 Ensure it includes: #%PAM-1.0 auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1 auth include system-auth account include system-auth password include system-auth session include system-auth
  2. Verify Polkit agent is running: systemctl --user status polkit-gnome-authentication-agent-1 If using Cinnamon, ensure a compatible Polkit agent (e.g., polkit-gnome-authentication-agent-1) is installed and active.

Phase 6: Testing and Verification

  1. Reboot the system.
  2. Verify:
    ◦ LUKS Unlock: Prompts for PIN + Touch at boot.
    ◦ GUI Login (LightDM): Requires PIN + Touch.
    ◦ Cinnamon Lock Screen: PIN + Touch (may require switching from password prompt).
    ◦ Sudo Elevation: sudo echo test Should prompt for PIN + Touch.
    ◦ Polkit Actions: pkexec ls /root Or try installing software via a GUI tool (e.g., GNOME Software). Should prompt for PIN + Touch.
  3. Ensure fallback password login remains functional.
4. Observations:
    ◦ Cinnamon lock screen may default to password; FIDO2 is an alternate method.
    ◦ Polkit GUI prompts may vary by desktop environment; test thoroughly.

Recovery and Backup Backup Strategy

• Store PAM files: mkdir -p ~/fido2-audit/pam_restore for file in sudo lightdm cinnamon-screensaver system-auth password-auth polkit-1; do sudo cp ~/fido2-audit/pam/$file ~/fido2-audit/pam_restore/$file done
• Document the LUKS passphrase and store it securely (e.g., encrypted password manager, offline copy).

Restoration Process
• Revert PAM changes using ~/fido2-audit/pam_restore/ if needed.
• Use a Fedora 42 live USB for recovery.
• Ensure TTY/root access via recovery mode (Ctrl+Alt+F3).

Emergency Access
• Create a complex, high-entropy password during installation.
• Use this password only for emergencies (e.g., PAM failure, key loss).
• Store securely in an encrypted password manager (e.g., KeePassXC), BitLocker/VeraCrypt volume, or offline locked location.

Issue: Multiple FIDO2 Keys and LUKS2 Enrollment Conflict
• Fix: Identify the USB bus/device numbers: lsusb Look for Identiv uTrust FIDO2 (e.g., Bus 001 Device 003: ID 04e6:5a11).
◦ Reset the key: sudo usbreset /dev/bus/usb/001/003
◦ Or replug and verify: fido2-token -I /dev/hidraw0

Important Warnings
Lab-Only Setup This setup risks complete system lockout if PAM, crypttab, or Polkit is misconfigured. Always:
• Use a non-critical test machine.
• Back up modified files (/etc/pam.d/*, /etc/crypttab).
• Prepare recovery options (Fedora 42 live USB, TTY/root access).

Dracut Caution systemd-cryptenroll typically auto-regenerates initramfs. Do not run dracut --force unless:
• /etc/crypttab is correctly configured.
• FIDO2 key enrollment is verified.
• Unlock works before reboot. If needed: sudo dracut --force Misuse can prevent booting.

Security Considerations
• Benefits:
◦ FIDO2 provides strong, hardware-based authentication.
◦ PIN + Touch mitigates brute-force risks (key locks after 8 failed attempts).
• Vulnerabilities:
◦ Physical key loss requires fallback passphrase.
◦ Kernel updates may break FIDO2 support; test after upgrades.
• Recommendations:
◦ Register a backup FIDO2 key.
◦ Regularly back up /etc/u2f_mappings and PAM files.

Performance Metrics
• Boot Time: ~5–10 seconds added for LUKS FIDO2 prompt.
• GUI Login: ~2–3 seconds for PIN + Touch.
• Sudo/Polkit: ~1–2 seconds for authentication.
• Impact: Minimal; FIDO2 is lightweight but requires user interaction.

Conclusion

This Fedora 42 system successfully integrates an Identiv uTrust FIDO2 security key for LUKS2 disk unlock, GUI login, sudo authentication, and Potential Polkit-based privilege escalation. The setup is secure, reproducible, and ideal for educational cybersecurity labs. Future potential work:
• Automating setup with a Bash script.
• Optimizing LightDM to default to FIDO2 prompts.
• Exploring Polkit agent enhancements for Cinnamon.

Readers can replicate this guide, adhering to warnings and maintaining recovery plans. Community feedback is welcome to improve this living document.

Appendix: Resources
• Fedora Documentation: systemd-cryptenroll (https://docs.fedoraproject.org)
• Identiv uTrust FIDO2 Key Datasheet (https://www.identiv.com)
• Yubico PAM-U2F GitHub (GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2)
• Fedora Magazine: Use FIDO U2F Security Keys (Use FIDO U2F security keys with Fedora Linux - Fedora Magazine)
• Fedora Docs: Using YubiKeys (Using YubiKeys with Fedora :: Fedora Docs)

This guide is provided as a working implementation based on Fedora 42 and the Identiv uTrust FIDO2 security key. It reflects the most reliable configuration tested as of May 2025. While most authentication paths (LUKS, GUI login, sudo) are confirmed functional with PIN + Touch, I was unable to fully enable FIDO2 for Polkit GUI prompts due to time constraints. That feature is not essential for secure daily use, and I prioritized stability for academic responsibilities over deeper debugging. If you choose to explore Polkit integration further, ensure a compatible agent is installed (e.g., polkit-gnome-authentication-agent-1) and test thoroughly. As always, back up your system, keep a strong fallback passphrase, and approach modifications carefully — especially when editing PAM or crypttab files. If this guide helped you, or you improve on it, please share your results so others can benefit.

Note: This repost replaces an earlier thread originally posted in the Q&A section. Thanks to those who replied with thoughtful feedback:

Chris pointed out that the post might be better suited for the Projects category than Q&A. He emphasized the importance of clarity around guide intent and audience — whether it’s a call for help or a shared solution — and encouraged reclassification for visibility and relevance.
Another user highlighted potential differences in Fedora spins, asking whether certain issues (like PAM file behavior or token detection) might behave differently across desktops (e.g., GNOME vs. Cinnamon). This was a helpful reminder that Fedora’s authentication stack can vary by environment, and such caveats should be clearly noted in future revisions.

These insights helped refine the updated version now posted here in the proper section, with clearer scope and reproducibility focus.

Example of Pam Files:

Sanitized PAM Configuration 

=== /etc/pam.d/sudo ===
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       include     system-auth
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so revoke
session    required    pam_limits.so
session    include     system-auth

=== /etc/pam.d/lightdm ===
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       substack    system-auth
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    optional    pam_lastlog.so silent
session    include     postlogin

=== /etc/pam.d/cinnamon-screensaver ===
auth       include     system-auth

=== /etc/pam.d/polkit-1 ===
#%PAM-1.0
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       include     system-auth
account    include     system-auth
password   include     system-auth
session    include     system-auth

=== /etc/pam.d/system-auth ===
# Generated by authselect
auth        required    pam_env.so
auth        required    pam_faildelay.so delay=2000000
auth        sufficient  pam_fprintd.so
auth        sufficient  pam_unix.so nullok
auth        required    pam_deny.so