You will need a publicly available server, a valid SSL certificate, and two open ports (one for HTTP and another one for GRPC).
First, build and install the binary:
mkdir remoteu2f; cd remoteu2f export GOPATH=$PWD go get blitiri.com.ar/go/remoteu2f/remoteu2f-proxy sudo cp bin/remoteu2f-proxy /usr/local/bin/
Then, generate some random tokens that will be used to authorize clients:
( for i in `seq 1 10`; do head -c60 /dev/urandom | sha256sum -b | cut -d ' ' -f 1 ; done ) > /etc/remoteu2f-proxy/tokens
Use one token per user, or one token per (user, host). Never share tokens between different users, this is very insecure and will become even more so in the future. Tokens are arbitrary strings, prepending the name of the user can help you know who you gave them to.
Finally, launch the binary. You can use the provided upstart or systemd examples to help you with this, depending on your system.
You will need
mkdir remoteu2f; cd remoteu2f export GOPATH=$PWD go get blitiri.com.ar/go/remoteu2f/remoteu2f-cli sudo cp bin/remoteu2f-cli /usr/local/bin/ cd src/blitiri.com.ar/go/remoteu2f/libpam make sudo cp pam_prompt_exec.so /lib/security
Configure PAM for ssh (or sudo, or the service of your choice) by editing
/etc/pam.d/sshd (or equivalent) and adding the following at the bottom:
auth required pam_prompt_exec.so /usr/local/bin/remoteu2f-cli pam --nullok
sshd itself requires the following configuration settings to work properly.
You can usually set them in
UsePAM yes ChallengeResponseAuthentication yes
Once you have completed the server install above, each each user that wants to use remoteu2f has to configure their account.
remoteu2f-cli init and follow the instructions.
Take note of the backup codes so you can access without your security key in an emergency.
remoteu2f-cli register to register your security key. You can
register as many keys as you want.
remoteu2f-cli auth to verify that it works.