System Authentication with Yubikey

Operating Systems & Open Source Linux
1

Hi everyone,

I recently got myself a Yubikey since I like all the possibilities it offers to increase security. I read that you can use the Yubikey as a second factor for system authentication. So basically if you want to login into your user account or use the sudo command you not only need to provide a passphrase but also have to touch the connected Yubikey.

I wanted to set this up and most Arch related instructions boil down to this: Tutorial

So I edited my /etc/pam.d/system-auth and added the line as described in the Tutorial:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       required                    pam_yubico.so        mode=challenge-response chalresp_path=/var/yubico
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Unfortunately there seems to be something incorrect with this, since my Yubikey only lights up once after making the change and even then after a failed authentication attempt I can login with only the password again.

I would be really grateful for anyone that can provide an insight into whats wrong here or point me in the right direction!

Edit: BTW I am on Manjaro!

2

not sure about that tutorial, but the yubico-pam tool uses a different line in the pam.d.

auth sufficient pam_yubico.so id=[Your API Client ID] debug

Here is the documentation:

https://developers.yubico.com/yubico-pam/

3

Thank you but I have found my mistake! I confused the HMAC-SHA1 challenge response mode with the U2F mode! I was waiting to be prompted by the stick to touch it to verify the authentication attempt but in challenge-response mode you only need to have the stick attached to the PC to pass it. Which was working all along. What I wanted however was to setup the U2F mode which is explained here. After following the instructions to setup U2F mode and placing the pam commands in /etc/pam.d/sudo and /etc/pam.d/gdm-password everything works as expected. Before I can login or sudo I need the Yubikey attached and need to touch it to verify my presence.

2 Likes
4

Awesome! I was looking around for how to do this for myself on the interwebs of lots of reading. Iā€™m glad L1 exists so that I can just search and get more info on less reading. ^^