Titan Security Key

During Nullcon I got a Titan Security Key. This device by Google is very similar to the popular Yubikeys. Unlike the first generation of Yubikeys is the Titan Security Key not generating an OTP (One-time password) but supports FIDO as a second factor. Beside using for websites and alike the device could be used for local access to a system as well. This means that I would only have to carry around one key to rule them all and use my old Yubikey as a backup.

dav

The Titan Key immediately shows up after it’s plugged-in. Get the output with dmesg.

[116764.047928] usb 1-9: reset full-speed USB device number 5 using xhci_hcd
[121937.920395] usb 1-1: new full-speed USB device number 22 using xhci_hcd
[121938.047491] usb 1-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=44.00
[121938.047501] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[121938.047507] usb 1-1: Product: U2F
[121938.047513] usb 1-1: Manufacturer: FT
[121938.055623] hid-generic 0003:096E:0858.0011: hiddev96,hidraw3: USB HID v1.00 Device [FT U2F] on usb-0000:00:14.0-1/input0

The next step is to associating the Titan Security Key with your local user account. Press the key when it’s blinking and your details should be written to the configuration file.

$ pamu2fcfg
user_name:Hxxxc-cHA-3xxxxj-xxxym-xxxX2h-G11_bKZfQ,04xxxxx1a15078c80889

So far so good. To activate the key in authentication process add the following line to the file in /etc/pam.d/ where you want it to use.

auth        sufficient      pam_u2f.so cue authfile=/etc/security/u2f_keys

Edit: With Fedora 30 it seems no longer needed to add an udev rules. I will leave that part here.

Create a file for the rule:

$ sudo vi /etc/udev/rules.d/60-titan-key.rules

Add this:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", \
ATTRS{idProduct}=="0858", TAG+="uaccess"

After you are done. A reload of the udev rules is required.

$ sudo udevadm control --reload-rules
This entry was posted in Fedora, Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.