Fedora 42 FIDO2 Security Key Integration Report
Prepared by: Joe Murphy
Affiliation: Cybersecurity Student, Spokane Falls Community College
Email: xxxxxxxx@bigfoot.spokane.edu

Date: May 19, 2025

This report details the integration of an Identiv uTrust FIDO2 security key with Fedora 42 to enable secure authentication for LUKS2 full disk encryption (FDE), graphical login (LightDM + Cinnamon), sudo elevation, and Polkit-based privilege escalation. Tested on a Dell Latitude E6430, the setup uses PIN and touch verification for enhanced security. The process is secure, reproducible, and ideal for instructional cybersecurity labs. Readers must use non-production systems, back up critical files, and prepare recovery mechanisms (e.g., live USB or TTY access) to avoid system lockout from misconfiguration.

Executive Summary

This guide provides a comprehensive walkthrough for integrating a FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:
• LUKS2 full disk encryption (FDE)
• Graphical login (LightDM + Cinnamon)
• Sudo elevation

Background

FIDO2 (Fast Identity Online 2) is a modern standard for secure, passwordless, or multi-factor authentication using hardware tokens. It improves upon U2F by supporting public key cryptography with optional PIN and biometrics. LUKS2 (Linux Unified Key Setup 2) is a full-disk encryption format that supports multiple unlock methods, including FIDO2 tokens. Polkit (PolicyKit) manages system-wide privileges for graphical and terminal-based actions. This guide combines these technologies to ensure end-to-end system security from boot through desktop use and administrative tasks.
System Overview
Hardware and Software
• Architecture: x86_64
• CPU: Intel Core i7
• Kernel: 6.14.6-300.fc42.x86_64
• Fedora Version: Fedora 42 (Adams)
• Desktop Environment: Cinnamon with LightDM
• FIDO2 Key: Identiv uTrust FIDO2 Security Key
◦ Vendor/Product: 0x04e6:0x5a11
◦ Protocol: CTAP2 / FIDO_2_0
◦ PIN: Required
◦ User Presence (Touch): Required
◦ User Verification: PIN only (biometrics not supported)
◦ Device Path: /dev/hidraw0

• Disk Setup: Btrfs on LUKS2 FDE (/dev/sda3)
    ◦ LUKS UUID: de8d801b-9b41-4112-XXXXXXXX
    ◦ Keyslots:
        ▪ 0: Passphrase (argon2id)
        ▪ 1, 2: FIDO2 credentials (pbkdf2)

Process Flow Overview The integration process involves system preparation, package installation, FIDO2 key enrollment, PAM and Polkit configuration, and thorough testing. A flowchart (not included here) outlines these phases.

Implementation Guide

Phase 1: System Preparation

1. Perform a clean installation of Fedora 42 (Workstation or Custom Spin with Cinnamon + LightDM).
2. During partitioning, ensure:
   ◦ Full Disk Encryption (FDE) using LUKS2 (Btrfs or ext4)
   ◦ No separate /home partition
   ◦ No auto-login enabled
   ◦ An admin user account is created (e.g., yourusername)
3. Update the system: sudo dnf upgrade --refresh -y

Phase 2: Package Installation
Install required development and security packages: sudo dnf install -y
gcc make cmake git autoconf automake libtool
pam-devel systemd-devel glibc-devel openssl-devel
libfido2 libfido2-devel fido2-tools u2f-host pam-u2f
pcsc-lite pcsc-lite-ccid pcsc-tools ccid opensc
authselect cryptsetup pam_passwdqc fprintd-pam gnome-keyring-pam
Enable and start the PC/SC daemon for smartcard support: sudo systemctl enable --now pcscd

Phase 3: FIDO2 Key Setup

1. Insert the FIDO2 key and verify detection: lsusb fido2-token -L fido2-token -I /dev/hidraw0 Expected output: Identiv uTrust FIDO2 (0x04e6:0x5a11) with options rk, clientPin.
2. If the key isn’t recognized:
   ◦ Ensure /dev/hidraw0 exists.
   ◦ Load kernel modules: sudo modprobe hid sudo modprobe hid_generic
   ◦ Replug the key.
3. If FIDO_ERR_INTERNAL (-9) occurs:
   ◦ Create the plugdev group: sudo groupadd plugdev sudo usermod -aG plugdev $USER
   ◦ Apply a udev rule: echo ‘KERNEL==“hidraw*”, ATTRS{idVendor}==“04e6”, ATTRS{idProduct}==“5a11”, TAG+=“uaccess”, GROUP=“plugdev”’ | sudo tee /etc/udev/rules.d/70-u2f.rules sudo udevadm control --reload-rules && sudo udevadm trigger
   ◦ Reboot.
4. Enroll the FIDO2 key for LUKS2: sudo systemd-cryptenroll --fido2-device=/dev/hidraw0 --fido2-with-client-pin=yes /dev/sda3
5. Validate enrollment: sudo cryptsetup luksDump /dev/sda3
6. Update /etc/crypttab: sudo nano /etc/crypttab Add or modify: luks-de8d801b-9b41-4112-XXXXXXXX UUID=de8d801b-9b41-4112-XXXXXXXX none fido2-device=auto fido2-with-client-pin=yes discard

Phase 4: PAM Configuration

1. Fedora’s pam-u2f package lacks pamu2fcfg. Build it from source: git clone GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2 cd pam-u2f mkdir build && cd build cmake -DBUILD_MANPAGES=OFF .. make sudo cp ./pamu2fcfg/pamu2fcfg /usr/local/bin/ sudo chmod +x /usr/local/bin/pamu2fcfg
2. Generate U2F mapping: pamu2fcfg -n -u $(whoami) -o pam://fedora | sudo tee /etc/u2f_mappings Verify output includes +presence+pin (e.g., yourusername:3aaOH5…Base64…,M9hAf2…==,es256,+presence+pin).
3. Set permissions: sudo chmod 600 /etc/u2f_mappings sudo chown root:root /etc/u2f_mappings
4. Back up PAM files: mkdir -p ~/fido2-audit/pam sudo cp /etc/pam.d/{sudo,lightdm,cinnamon-screensaver,system-auth,password-auth,polkit-1} ~/fido2-audit/pam/
5. Patch PAM files (/etc/pam.d/sudo, /etc/pam.d/lightdm, /etc/pam.d/cinnamon-screensaver): #!/bin/bash FILES=(/etc/pam.d/sudo /etc/pam.d/lightdm /etc/pam.d/cinnamon-screensaver) for FILE in “${FILES[@]}”; do sudo cp “$FILE” “$FILE.bak.$(date +%s)” sudo sed -i ‘/pam_u2f.so/d’ “$FILE” sudo sed -i ‘/^auth.*include.*system-auth/i auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1’ “$FILE” done

Phase 5: Polkit Configuration

1. Configure Polkit to use FIDO2 via PAM:
   ◦ Edit /etc/pam.d/polkit-1: sudo nano /etc/pam.d/polkit-1 Ensure it includes: #%PAM-1.0 auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1 auth include system-auth account include system-auth password include system-auth session include system-auth
2. Verify Polkit agent is running: systemctl --user status polkit-gnome-authentication-agent-1 If using Cinnamon, ensure a compatible Polkit agent (e.g., polkit-gnome-authentication-agent-1) is installed and active.

Phase 6: Testing and Verification

1. Reboot the system.
2. Verify:
   ◦ LUKS Unlock: Prompts for PIN + Touch at boot.
   ◦ GUI Login (LightDM): Requires PIN + Touch.
   ◦ Cinnamon Lock Screen: PIN + Touch (may require switching from password prompt).
   ◦ Sudo Elevation: sudo echo test Should prompt for PIN + Touch.
   ◦ Polkit Actions: pkexec ls /root Or try installing software via a GUI tool (e.g., GNOME Software). Should prompt for PIN + Touch.
3. Ensure fallback password login remains functional.

4. Observations:
    ◦ Cinnamon lock screen may default to password; FIDO2 is an alternate method.
    ◦ Polkit GUI prompts may vary by desktop environment; test thoroughly.

Recovery and Backup Backup Strategy

• Store PAM files: mkdir -p ~/fido2-audit/pam_restore for file in sudo lightdm cinnamon-screensaver system-auth password-auth polkit-1; do sudo cp ~/fido2-audit/pam/$file ~/fido2-audit/pam_restore/$file done
• Document the LUKS passphrase and store it securely (e.g., encrypted password manager, offline copy).

Restoration Process
• Revert PAM changes using ~/fido2-audit/pam_restore/ if needed.
• Use a Fedora 42 live USB for recovery.
• Ensure TTY/root access via recovery mode (Ctrl+Alt+F3).

Emergency Access
• Create a complex, high-entropy password during installation.
• Use this password only for emergencies (e.g., PAM failure, key loss).
• Store securely in an encrypted password manager (e.g., KeePassXC), BitLocker/VeraCrypt volume, or offline locked location.

Issue: Multiple FIDO2 Keys and LUKS2 Enrollment Conflict
• Fix: Identify the USB bus/device numbers: lsusb Look for Identiv uTrust FIDO2 (e.g., Bus 001 Device 003: ID 04e6:5a11).
◦ Reset the key: sudo usbreset /dev/bus/usb/001/003
◦ Or replug and verify: fido2-token -I /dev/hidraw0

Important Warnings
Lab-Only Setup This setup risks complete system lockout if PAM, crypttab, or Polkit is misconfigured. Always:
• Use a non-critical test machine.
• Back up modified files (/etc/pam.d/*, /etc/crypttab).
• Prepare recovery options (Fedora 42 live USB, TTY/root access).

Dracut Caution systemd-cryptenroll typically auto-regenerates initramfs. Do not run dracut --force unless:
• /etc/crypttab is correctly configured.
• FIDO2 key enrollment is verified.
• Unlock works before reboot. If needed: sudo dracut --force Misuse can prevent booting.

Security Considerations
• Benefits:
◦ FIDO2 provides strong, hardware-based authentication.
◦ PIN + Touch mitigates brute-force risks (key locks after 8 failed attempts).
• Vulnerabilities:
◦ Physical key loss requires fallback passphrase.
◦ Kernel updates may break FIDO2 support; test after upgrades.
• Recommendations:
◦ Register a backup FIDO2 key.
◦ Regularly back up /etc/u2f_mappings and PAM files.

Performance Metrics
• Boot Time: ~5–10 seconds added for LUKS FIDO2 prompt.
• GUI Login: ~2–3 seconds for PIN + Touch.
• Sudo/Polkit: ~1–2 seconds for authentication.
• Impact: Minimal; FIDO2 is lightweight but requires user interaction.

Conclusion

This Fedora 42 system successfully integrates an Identiv uTrust FIDO2 security key for LUKS2 disk unlock, GUI login, sudo authentication, and Potential Polkit-based privilege escalation. The setup is secure, reproducible, and ideal for educational cybersecurity labs. Future potential work:
• Automating setup with a Bash script.
• Optimizing LightDM to default to FIDO2 prompts.
• Exploring Polkit agent enhancements for Cinnamon.

Readers can replicate this guide, adhering to warnings and maintaining recovery plans. Community feedback is welcome to improve this living document.

Appendix: Resources
• Fedora Documentation: systemd-cryptenroll (https://docs.fedoraproject.org)
• Identiv uTrust FIDO2 Key Datasheet (https://www.identiv.com)
• Yubico PAM-U2F GitHub (GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2)
• Fedora Magazine: Use FIDO U2F Security Keys (Use FIDO U2F security keys with Fedora Linux - Fedora Magazine)
• Fedora Docs: Using YubiKeys (Using YubiKeys with Fedora :: Fedora Docs)

This guide is provided as a working implementation based on Fedora 42 and the Identiv uTrust FIDO2 security key. It reflects the most reliable configuration tested as of May 2025. While most authentication paths (LUKS, GUI login, sudo) are confirmed functional with PIN + Touch, I was unable to fully enable FIDO2 for Polkit GUI prompts due to time constraints. That feature is not essential for secure daily use, and I prioritized stability for academic responsibilities over deeper debugging. If you choose to explore Polkit integration further, ensure a compatible agent is installed (e.g., polkit-gnome-authentication-agent-1) and test thoroughly. As always, back up your system, keep a strong fallback passphrase, and approach modifications carefully — especially when editing PAM or crypttab files. If this guide helped you, or you improve on it, please share your results so others can benefit.

Example of Pam Files:

Sanitized PAM Configuration 

=== /etc/pam.d/sudo ===
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       include     system-auth
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so revoke
session    required    pam_limits.so
session    include     system-auth

=== /etc/pam.d/lightdm ===
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       substack    system-auth
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    optional    pam_lastlog.so silent
session    include     postlogin

=== /etc/pam.d/cinnamon-screensaver ===
auth       include     system-auth

=== /etc/pam.d/polkit-1 ===
#%PAM-1.0
auth       required    pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth       include     system-auth
account    include     system-auth
password   include     system-auth
session    include     system-auth

=== /etc/pam.d/system-auth ===
# Generated by authselect
auth        required    pam_env.so
auth        required    pam_faildelay.so delay=2000000
auth        sufficient  pam_fprintd.so
auth        sufficient  pam_unix.so nullok
auth        required    pam_deny.so
account     required    pam_unix.so
password    requisite   pam_pwquality.so
password    sufficient  pam_unix.so yescrypt shadow nullok use_authtok
password    required    pam_deny.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required    pam_unix.so

=== /etc/pam.d/password-auth ===
# Generated by authselect
auth        required    pam_env.so
auth        required    pam_faildelay.so delay=2000000
auth        sufficient  pam_unix.so nullok
auth        required    pam_deny.so
account     required    pam_unix.so
password    requisite   pam_pwquality.so
password    sufficient  pam_unix.so yescrypt shadow nullok use_authtok
password    required    pam_deny.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required    pam_unix.so

Note: I originally posted a version of this guide in the “Ask Fedora” section, which I now realize wasn’t the most appropriate category. Several community members rightly pointed out that it would be more visible and helpful here under “Projects.” I appreciate their feedback and have reposted it here for clarity and proper context. Thanks to everyone who offered constructive input — I’m still relatively new to Fedora, and I’m learning as I go. I hope this write-up helps others avoid some of the challenges I ran into.

Hi Joe.

Thanks for this write-up. I think it is something the Fedora Magazine audience would enjoy.

Sorry to have to ask you to move this again since I see that you’ve been bounced around a few times already, but would you mind uploading this content to Fedora Magazine’s WordPress instance here?: Magazine - Dashboard (click on “Posts” in the left sidebar and then the “Add New Post” button at the top)

Thanks for your contribution to Fedora Linux!

I tried to accommodate your request and I’ve been blocked from creating a new topic/subject. I’m limited because of the recent posts I’ve made. Here is the draft I have to revisit later. Unfortunately I have to get back to school.

I’m a cybersecurity student and relatively new to Fedora, but I wanted to share something that might help others exploring stronger authentication methods. After running into gaps in the available documentation, I decided to piece together a complete guide for integrating a FIDO2 security key (specifically the Identiv uTrust model) across a Fedora 42 system.

This walkthrough covers using a FIDO2 key for:

• Full Disk Encryption (LUKS2 unlock)
• Graphical Login (LightDM with Cinnamon)
• Sudo elevation (PIN + Touch)
• Partial Polkit integration (experimental)

My goal was to create a secure, largely passwordless system that remains usable — and recoverable — with strong fallback measures in place. While I’m by no means an expert, I tested this process across multiple machines and documented every challenge I faced, hoping it’ll save others time and headaches.

I’ve been encouraged by community members to share this in a more visible place, so here it is. If you improve on it, or find better solutions to the issues noted, I’d love to hear back — this is intended to be a living document and learning process.

Fedora 42 FIDO2 Security Key Integration Report
Prepared by: Joe Murphy
Affiliation: Cybersecurity Student, Spokane Falls Community College
Email: xxxxxxxx@bigfoot.spokane.edu

Date: May 19, 2025

This report details the integration of an Identiv uTrust FIDO2 security key with Fedora 42 to enable secure authentication for LUKS2 full disk encryption (FDE), graphical login (LightDM + Cinnamon), sudo elevation, and Polkit-based privilege escalation. Tested on a Dell Latitude E6430, the setup uses PIN and touch verification for enhanced security. The process is secure, reproducible, and ideal for instructional cybersecurity labs. Readers must use non-production systems, back up critical files, and prepare recovery mechanisms (e.g., live USB or TTY access) to avoid system lockout from misconfiguration.

Executive Summary

This guide provides a comprehensive walkthrough for integrating a FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:
• LUKS2 full disk encryption (FDE)
• Graphical login (LightDM + Cinnamon)
• Sudo elevation

Background

FIDO2 (Fast Identity Online 2) is a modern standard for secure, passwordless, or multi-factor authentication using hardware tokens. It improves upon U2F by supporting public key cryptography with optional PIN and biometrics. LUKS2 (Linux Unified Key Setup 2) is a full-disk encryption format that supports multiple unlock methods, including FIDO2 tokens. Polkit (PolicyKit) manages system-wide privileges for graphical and terminal-based actions. This guide combines these technologies to ensure end-to-end system security from boot through desktop use and administrative tasks.
System Overview
Hardware and Software
• Architecture: x86_64
• CPU: Intel Core i7
• Kernel: 6.14.6-300.fc42.x86_64
• Fedora Version: Fedora 42 (Adams)
• Desktop Environment: Cinnamon with LightDM
• FIDO2 Key: Identiv uTrust FIDO2 Security Key
◦ Vendor/Product: 0x04e6:0x5a11
◦ Protocol: CTAP2 / FIDO_2_0
◦ PIN: Required
◦ User Presence (Touch): Required
◦ User Verification: PIN only (biometrics not supported)
◦ Device Path: /dev/hidraw0

• Disk Setup: Btrfs on LUKS2 FDE (/dev/sda3)

◦ LUKS UUID: de8d801b-9b41-4112-XXXXXXXX

◦ Keyslots:

0: Passphrase (argon2id)

1, 2: FIDO2 credentials (pbkdf2)

Process Flow Overview The integration process involves system preparation, package installation, FIDO2 key enrollment, PAM and Polkit configuration, and thorough testing. A flowchart (not included here) outlines these phases.

Implementation Guide

Phase 1: System Preparation

1. Perform a clean installation of Fedora 42 (Workstation or Custom Spin with Cinnamon + LightDM).
2. During partitioning, ensure:
   ◦ Full Disk Encryption (FDE) using LUKS2 (Btrfs or ext4)
   ◦ No separate /home partition
   ◦ No auto-login enabled
   ◦ An admin user account is created (e.g., yourusername)
3. Update the system: sudo dnf upgrade --refresh -y

Phase 2: Package Installation
Install required development and security packages: sudo dnf install -y
gcc make cmake git autoconf automake libtool
pam-devel systemd-devel glibc-devel openssl-devel
libfido2 libfido2-devel fido2-tools u2f-host pam-u2f
pcsc-lite pcsc-lite-ccid pcsc-tools ccid opensc
authselect cryptsetup pam_passwdqc fprintd-pam gnome-keyring-pam
Enable and start the PC/SC daemon for smartcard support: sudo systemctl enable --now pcscd

Phase 3: FIDO2 Key Setup

1. Insert the FIDO2 key and verify detection: lsusb fido2-token -L fido2-token -I /dev/hidraw0 Expected output: Identiv uTrust FIDO2 (0x04e6:0x5a11) with options rk, clientPin.
2. If the key isn’t recognized:
   ◦ Ensure /dev/hidraw0 exists.
   ◦ Load kernel modules: sudo modprobe hid sudo modprobe hid_generic
   ◦ Replug the key.
3. If FIDO_ERR_INTERNAL (-9) occurs:
   ◦ Create the plugdev group: sudo groupadd plugdev sudo usermod -aG plugdev $USER
   ◦ Apply a udev rule: echo ‘KERNEL==“hidraw*”, ATTRS{idVendor}==“04e6”, ATTRS{idProduct}==“5a11”, TAG+=“uaccess”, GROUP=“plugdev”’ | sudo tee /etc/udev/rules.d/70-u2f.rules sudo udevadm control --reload-rules && sudo udevadm trigger
   ◦ Reboot.
4. Enroll the FIDO2 key for LUKS2: sudo systemd-cryptenroll --fido2-device=/dev/hidraw0 --fido2-with-client-pin=yes /dev/sda3
5. Validate enrollment: sudo cryptsetup luksDump /dev/sda3
6. Update /etc/crypttab: sudo nano /etc/crypttab Add or modify: luks-de8d801b-9b41-4112-XXXXXXXX UUID=de8d801b-9b41-4112-XXXXXXXX none fido2-device=auto fido2-with-client-pin=yes discard

Phase 4: PAM Configuration

1. Fedora’s pam-u2f package lacks pamu2fcfg. Build it from source: git clone GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2 cd pam-u2f mkdir build && cd build cmake -DBUILD_MANPAGES=OFF .. make sudo cp ./pamu2fcfg/pamu2fcfg /usr/local/bin/ sudo chmod +x /usr/local/bin/pamu2fcfg
2. Generate U2F mapping: pamu2fcfg -n -u $(whoami) -o pam://fedora | sudo tee /etc/u2f_mappings Verify output includes +presence+pin (e.g., yourusername:3aaOH5…Base64…,M9hAf2…==,es256,+presence+pin).
3. Set permissions: sudo chmod 600 /etc/u2f_mappings sudo chown root:root /etc/u2f_mappings
4. Back up PAM files: mkdir -p ~/fido2-audit/pam sudo cp /etc/pam.d/{sudo,lightdm,cinnamon-screensaver,system-auth,password-auth,polkit-1} ~/fido2-audit/pam/
5. Patch PAM files (/etc/pam.d/sudo, /etc/pam.d/lightdm, /etc/pam.d/cinnamon-screensaver): #!/bin/bash FILES=(/etc/pam.d/sudo /etc/pam.d/lightdm /etc/pam.d/cinnamon-screensaver) for FILE in “${FILES[@]}”; do sudo cp “$FILE” “$FILE.bak.$(date +%s)” sudo sed -i ‘/pam_u2f.so/d’ “$FILE” sudo sed -i ‘/^auth.*include.*system-auth/i auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1’ “$FILE” done

Phase 5: Polkit Configuration

1. Configure Polkit to use FIDO2 via PAM:
   ◦ Edit /etc/pam.d/polkit-1: sudo nano /etc/pam.d/polkit-1 Ensure it includes: #%PAM-1.0 auth required pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=1 userpresence=1 auth include system-auth account include system-auth password include system-auth session include system-auth
2. Verify Polkit agent is running: systemctl --user status polkit-gnome-authentication-agent-1 If using Cinnamon, ensure a compatible Polkit agent (e.g., polkit-gnome-authentication-agent-1) is installed and active.

Phase 6: Testing and Verification

1. Reboot the system.

2. Verify:
   ◦ LUKS Unlock: Prompts for PIN + Touch at boot.
   ◦ GUI Login (LightDM): Requires PIN + Touch.
   ◦ Cinnamon Lock Screen: PIN + Touch (may require switching from password prompt).
   ◦ Sudo Elevation: sudo echo test Should prompt for PIN + Touch.
   ◦ Polkit Actions: pkexec ls /root Or try installing software via a GUI tool (e.g., GNOME Software). Should prompt for PIN + Touch.

3. Ensure fallback password login remains functional.

4. Observations:

◦ Cinnamon lock screen may default to password; FIDO2 is an alternate method.

◦ Polkit GUI prompts may vary by desktop environment; test thoroughly.

Recovery and Backup Backup Strategy

• Store PAM files: mkdir -p ~/fido2-audit/pam_restore for file in sudo lightdm cinnamon-screensaver system-auth password-auth polkit-1; do sudo cp ~/fido2-audit/pam/$file ~/fido2-audit/pam_restore/$file done

• Document the LUKS passphrase and store it securely (e.g., encrypted password manager, offline copy).

Restoration Process
• Revert PAM changes using ~/fido2-audit/pam_restore/ if needed.
• Use a Fedora 42 live USB for recovery.
• Ensure TTY/root access via recovery mode (Ctrl+Alt+F3).

Emergency Access
• Create a complex, high-entropy password during installation.
• Use this password only for emergencies (e.g., PAM failure, key loss).
• Store securely in an encrypted password manager (e.g., KeePassXC), BitLocker/VeraCrypt volume, or offline locked location.

Issue: Multiple FIDO2 Keys and LUKS2 Enrollment Conflict
• Fix: Identify the USB bus/device numbers: lsusb Look for Identiv uTrust FIDO2 (e.g., Bus 001 Device 003: ID 04e6:5a11).
◦ Reset the key: sudo usbreset /dev/bus/usb/001/003
◦ Or replug and verify: fido2-token -I /dev/hidraw0

Important Warnings
Lab-Only Setup This setup risks complete system lockout if PAM, crypttab, or Polkit is misconfigured. Always:
• Use a non-critical test machine.
• Back up modified files (/etc/pam.d/*, /etc/crypttab).
• Prepare recovery options (Fedora 42 live USB, TTY/root access).

Dracut Caution systemd-cryptenroll typically auto-regenerates initramfs. Do not run dracut --force unless:
• /etc/crypttab is correctly configured.
• FIDO2 key enrollment is verified.
• Unlock works before reboot. If needed: sudo dracut --force Misuse can prevent booting.

Security Considerations
• Benefits:
◦ FIDO2 provides strong, hardware-based authentication.
◦ PIN + Touch mitigates brute-force risks (key locks after 8 failed attempts).
• Vulnerabilities:
◦ Physical key loss requires fallback passphrase.
◦ Kernel updates may break FIDO2 support; test after upgrades.
• Recommendations:
◦ Register a backup FIDO2 key.
◦ Regularly back up /etc/u2f_mappings and PAM files.

Performance Metrics
• Boot Time: ~5–10 seconds added for LUKS FIDO2 prompt.
• GUI Login: ~2–3 seconds for PIN + Touch.
• Sudo/Polkit: ~1–2 seconds for authentication.
• Impact: Minimal; FIDO2 is lightweight but requires user interaction.

Conclusion

This Fedora 42 system successfully integrates an Identiv uTrust FIDO2 security key for LUKS2 disk unlock, GUI login, sudo authentication, and Potential Polkit-based privilege escalation. The setup is secure, reproducible, and ideal for educational cybersecurity labs. Future potential work:
• Automating setup with a Bash script.
• Optimizing LightDM to default to FIDO2 prompts.
• Exploring Polkit agent enhancements for Cinnamon.

Readers can replicate this guide, adhering to warnings and maintaining recovery plans. Community feedback is welcome to improve this living document.

Appendix: Resources
• Fedora Documentation: systemd-cryptenroll (https://docs.fedoraproject.org)
• Identiv uTrust FIDO2 Key Datasheet (https://www.identiv.com)
• Yubico PAM-U2F GitHub (GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2)
• Fedora Magazine: Use FIDO U2F Security Keys (Use FIDO U2F security keys with Fedora Linux - Fedora Magazine)
• Fedora Docs: Using YubiKeys (Using YubiKeys with Fedora :: Fedora Docs)

This guide is provided as a working implementation based on Fedora 42 and the Identiv uTrust FIDO2 security key. It reflects the most reliable configuration tested as of May 2025. While most authentication paths (LUKS, GUI login, sudo) are confirmed functional with PIN + Touch, I was unable to fully enable FIDO2 for Polkit GUI prompts due to time constraints. That feature is not essential for secure daily use, and I prioritized stability for academic responsibilities over deeper debugging. If you choose to explore Polkit integration further, ensure a compatible agent is installed (e.g., polkit-gnome-authentication-agent-1) and test thoroughly. As always, back up your system, keep a strong fallback passphrase, and approach modifications carefully — especially when editing PAM or crypttab files. If this guide helped you, or you improve on it, please share your results so others can benefit.

Example of Pam Files:

anitized PAM Configuration

=== /etc/pam.d/sudo ===
auth required pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth

=== /etc/pam.d/lightdm ===
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth required pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include system-auth
session optional pam_lastlog.so silent
session include postlogin

=== /etc/pam.d/cinnamon-screensaver ===
auth include system-auth

=== /etc/pam.d/polkit-1 ===
#%PAM-1.0
auth required pam_u2f.so authfile=/path/to/mappings cue pinverification=1 userpresence=1
auth include system-auth
account include system-auth
password include system-auth
session include system-auth

=== /etc/pam.d/system-auth ===

Generated by authselect

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

=== /etc/pam.d/password-auth ===

Generated by authselect

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

Community Concerns and Clarifications

I want to be up front: I’m still pretty new to Fedora and to Linux system internals in general. I’m a cybersecurity student learning as I go, and this project grew out of personal curiosity and trial-and-error — not expertise. I only wrote this up because I couldn’t find a single resource that tied all the moving parts together: LUKS, GUI login, sudo, Polkit, and FIDO2 — especially for the specific key I had (Identiv uTrust FIDO2).

That said, I want to respectfully address a few common concerns that came up from others who were kind enough to offer feedback and suggestions.

Why not just use the default PAM configuration or authselect integration?
That was my first attempt. Fedora’s pam-u2f package theoretically supports quick setup through authselect or simple auth include edits. However, I ran into real issues when trying to enforce PIN-based authentication reliably across all interfaces — especially for sudo and LightDM.

Specifically:

• PIN enforcement (pinverification=1) wasn’t consistently applied with default config.
• LightDM and Cinnamon sometimes skipped the key altogether unless the PAM files were directly patched.
• The Fedora package doesn’t include the pamu2fcfg tool, which is essential for creating valid mappings for non-discoverable credentials.
• Improper u2f_mappings or missing permissions (like needing a plugdev group) silently broke authentication — and the defaults didn’t catch these failures.

So while automated methods are great in theory, I found that manual configuration was the only way to guarantee that PIN + Touch were required and that the system behaved consistently.

Why not use a biometric FIDO2 key?
That’s a fair point — and if your key supports biometrics, you might have an easier time. But the Identiv uTrust key I used doesn’t support biometrics, just PIN + Touch. What’s more confusing is that this key doesn’t clearly advertise some of its capabilities, such as its support for non-discoverable (resident-less) credentials or CTAP2 features. That led to extra debugging because tools or desktops didn’t always recognize it as fully FIDO2-compliant — even though it is.

Isn’t this too complicated?
Honestly, yes. It felt like walking through a minefield at times. But part of why I wrote this was to help others avoid the same frustrating guesswork. If Fedora’s FIDO2 integration improves (and I hope it does), maybe one day a setup like this can be done in a few clicks. Until then, I wanted to document what worked for me — with full recovery steps, warnings, and fallback options — so others could build on it or improve it.

Can this break your system?
Yes. Absolutely. Editing PAM or crypttab without backups or understanding the flow of authentication can easily lock you out at boot or login. I tried to be very clear in the guide about backing up every config and preparing recovery options like a Live USB or TTY root access. This isn’t something to try on your daily driver — at least not until you’ve tested it safely somewhere else.

If you’re an expert and see a better way, I hope you’ll share your insights — and if you’re like me and just want to experiment securely, maybe this guide will save you some pain. Either way, I’m glad the Fedora community has folks willing to discuss and improve these kinds of setups together.

WordPress is a separate system from this forum. No limits here will apply there. There is no hurry. Just let us know when you get it figured out.

@py0xc3 Can you move this topic to the Fedora Magazine team workflow?

Nevermind, it appears I have that ability (at least for some topics?).

Thanks so much, Gregory — I really appreciate you taking the time to clarify and assist.

The testing process took a few days, but honestly, just trying to share what I learned has taken even longer than I expected. I originally just wanted to post a quick write-up to help others avoid the same troubleshooting on Fedora, but it’s turned into a bit more effort than I thought, especially with the topic getting moved around.

I totally get that there are rules and limits, but it would be nice if moderators had the ability to move posts directly when needed — it might make things smoother for contributors trying to share their work.

That said, it’ll probably be a little while before I can circle back and properly re-post everything. School is keeping me pretty busy right now, but I do plan to return to this when I have the time.

Thanks again for your support and patience — it means a lot.

R,

Joe

@ihs-2025 The editors use Pagure to track the progress of Magazine articles. This lets us work efficiently as a team. It also gives us a channel to communicate between authors and editors.

I have created Pagure article #392 for your article.

In order to assign this to you I need to request that you sign in to Pagure using your FAS login. You can go to the link above to do this. When this is done please let us know by leaving a comment on that ticket.

You may use comments on the ticket for any communications regarding the article, or for any requests or assistance you may need.

Thank you for volunteering your time and effort to the Fedora Magazine. We appreciate it and we are looking forward to the article.

Thank you, I’ve added my comment on the Pagure ticket.

Also, would it be possible to be added to the magazine or docs FAS group as a contributor? I noticed that I’m currently CLA-only and unable to vote in the current Fedora elections. I only ask because I saw the notice about the elections, took the time to review the candidates, and ranked them thoughtfully, but then realized I wasn’t eligible to cast a ballot. Having previously served in a leadership role at a nonprofit, I understand how important participation and representation are in a community.

I’d love to stay involved and keep contributing.

V/r,

Joe Murphy

That’s two different things. You can sign the CLA at all times: log into https://accounts.fedoraproject.org/ with your existing FAS credentials, then go to the settings and then Agreements. Then you can read and sign the CLA (I think it is now known as Fedora Contributor Agreement or something like that). It should be possible to vote without being part of a WG (that is at least indicated by some cases of the recent days).

glb can correct me, but I think the working group of the Magazine is intended for those permanently involved in editing Magazine articles and in maintaining the Magazine in general. It is comparable for the Docs, but for that you need to get in touch with the Docs team at the best at their Matrix channel , but at least in the past, due to the fact that many people started to join the Docs team but disappeared soon later, membership of the Working Group was intended for those who are already member for longer periods and already taken responsibility of repositories or so.

But as mentioned, I think what you need for your purposes is just to sign the CLA

Thanks I’m new and still learning. I’ve attached a screen shot to illustrate.

IMG_48341290×1215 425 KB

I am not sure about this, the only thing I could imagine is that the Discourse trust level is counted as group, but I asked infra, there is a topic discussed about this anyway. I added the question there:

Let’s keep that CLA/voting topic there and wait what they say. Then you can focus in this topic on Magazine-related stuff

Supplement: I assume that the question has been already answered in the topic I mentioned above: I assume you could vote for Mindshare and Council, but not FESCo, as FESCo requires additional group(s) to ensure that only people can vote who are already more deeply involved in Fedora, which makes sense given the immediate impact of that vote due to FESCo’s role & daily/immediate responsibilities.