System Authentication with Yubikey

Hi everyone,

I recently got myself a Yubikey since I like all the possibilities it offers to increase security. I read that you can use the Yubikey as a second factor for system authentication. So basically if you want to login into your user account or use the sudo command you not only need to provide a passphrase but also have to touch the connected Yubikey.

I wanted to set this up and most Arch related instructions boil down to this: Tutorial

So I edited my /etc/pam.d/system-auth and added the line as described in the Tutorial:


auth       required                preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       required                  mode=challenge-response chalresp_path=/var/yubico
auth       [success=2 default=ignore]          try_first_pass nullok
-auth      [success=1 default=ignore]
auth       [default=die]           authfail
auth       optional          
auth       required          
auth       required                authsucc
# If you drop the above call to the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]
account    required          
account    optional          
account    required          

-password  [success=1 default=ignore]
password   required                    try_first_pass nullok shadow
password   optional          

session    required          
session    required          
session    optional          

Unfortunately there seems to be something incorrect with this, since my Yubikey only lights up once after making the change and even then after a failed authentication attempt I can login with only the password again.

I would be really grateful for anyone that can provide an insight into whats wrong here or point me in the right direction!

Edit: BTW I am on Manjaro!

not sure about that tutorial, but the yubico-pam tool uses a different line in the pam.d.

auth sufficient id=[Your API Client ID] debug

Here is the documentation:

Thank you but I have found my mistake! I confused the HMAC-SHA1 challenge response mode with the U2F mode! I was waiting to be prompted by the stick to touch it to verify the authentication attempt but in challenge-response mode you only need to have the stick attached to the PC to pass it. Which was working all along. What I wanted however was to setup the U2F mode which is explained here. After following the instructions to setup U2F mode and placing the pam commands in /etc/pam.d/sudo and /etc/pam.d/gdm-password everything works as expected. Before I can login or sudo I need the Yubikey attached and need to touch it to verify my presence.


Awesome! I was looking around for how to do this for myself on the interwebs of lots of reading. Iā€™m glad L1 exists so that I can just search and get more info on less reading. ^^