How to configure 'system-auth' for system authentication (login) with Yubikey Challenge response?

Hello, everyone!
For several weeks I’ve been struggling with how to properly configure Manjaro so that to log in it was necessary to enter both the password and Yubikey with Challenge response mode (2FA). I searched the whole Internet, but there is nothing at all for Manjaro. I tried each tutorial for Arch and other distros, nothing worked. Tried all standard and non-standard instructions, nothing works. The maximum that I managed to achieve is that after rebooting the system requires Yubikey, but if you block the session, then you can not go back in because the error “wrong password”.

Maybe someone faced with the same issue?
Here’s the contents of my ‘system-auth’:

#%PAM-1.0


auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok

# Doesn't work here

-auth      [success=1 default=ignore]  pam_systemd_home.so

# Doesn't work here

auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

# It works here but only for login after restart

Hello and welcome.
I use a solokey and not a yubi but i used this guide to add it to my log in (and some other bits):

Please note:>

A note of warning : You can get really locked out of your system if you do not do this the right way. If that happens, then boot your system in recovery mode or (single mode) and then revert your changes.

Worth a read as i found it explained what was happening.

1 Like

Hi Alfy! Thanks for your reply!
Is there some way to use ‘Challenge-response’ mode for logging in instead of ‘U2F’?

https://wiki.archlinux.org/title/YubiKey#Linux_user_authentication_with_PAM

2 Likes

I dont know what is different on your yubi but i type my password then touch my solo button to log in.
There is a section on it in the article i linked but you may need to use the /etc/pam.d/sddm file instead of the two example files shown (if you use sddm).

1 Like

That’s everything I found about adding Yubikey with challenge-response to Manjaro
But I still can’t cope with KDE Lock screen)
Don’t forget to change the path of you CR files. For me it is “/var/yubico”, by default you shouldn’t type this part of command “chalresp_path=/var/yubico”.

SETTING UP THE YUBIKEY PROMPT WHEN LOGGING IN IMMEDIATELY AFTER BOOT (SDDM)
Command
sudo nano /etc/pam.d/sddm
And at the very top enter (it will also work if you put it after auth include system-auth)
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

CONFIGURING THE SYSTEM WITH YUBIKEY REQUEST FOR ALL SUDO COMMANDS
Command
sudo nano /etc/pam.d/sudo
After
auth include system-auth
Enter
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

SETTING UP THE SYSTEM’S CLASS REQUEST FOR ALL POLICYKIT-1 REQUIREMENTS
Command
sudo nano /etc/pam.d/polkit-1
After
auth include system-auth
Enter
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

SETTING UP YUBIKEY FOR TERMINAL TTY
Command
sudo nano /etc/pam.d/login
After
auth include system-local-login
Enter
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

My keys are stored in elsewhere so i dont have exactly the same.
I do notice that my /etc/pam.d/sddm is in the same order as your other pam.d and not at the top

#%PAM-1.0
auth	include		system-login
auth    required    pam_u2f.so

Does your system require Solokey to login after manual lock? I mean, did you modified your /etc/pam.d/kde to work with pam_u2f.so? And if you did, could you share where exactly you put auth required pam_u2f.so?

it seems i have edited my /etc/pam.d/kde

#%PAM-1.0

auth include system-login
auth required pam_u2f.so
account include system-login

password include system-login

session include system-login

Thanks for your help.
I tried the same but with Challenge-response mode and it just doesn’t work.

#%PAM-1.0

auth            include         system-login
auth    required        pam_yubico.so mode=challenge-response   chalresp_path=/var/yubico
account         include         system-login
password        include         system-login
session         include         system-login

Are you using the default lock screen (or perhaps a screensaver)?

I haven’t added auth required pam_u2f.so anywhere else.

I think my lock screen is default. I didn’t change anything. I don’t even know how to check it)

Found this article SDDM, did as it mentioned there but using pam_yubico.so mode=challenge-response aaand it didn’t work.

I dont know if you have anything extra here?

$ ls /etc/pam.d
chage      groupadd   newusers  runuser         shadow       systemd-user         useradd
chfn       groupdel   other     runuser-l       sshd         system-local-login   userdel
chgpasswd  groupmems  passwd    samba           su           system-login         usermod
chpasswd   groupmod   polkit-1  sddm            sudo         vlock
chsh       kde        rlogin    sddm-autologin  su-l         system-remote-login
crond      login      rsh       sddm-greeter    system-auth  system-services

Everything almost the same. I have extra file - cups
And the file contains these strings:

auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so

Yeah, it’s definitely not a custom lock screen

My keys are stored in my home folder where as your’s are stored in /. It seems this has previously caused an issue:

[BUG] Locked screen fails unlock with YubiKey on Kubuntu (KDE-based Ubuntu) · Issue #113 · Yubico/yubico-pam · GitHub.

Not sure if this is the cause or if it ever got fixed.
There are a couple of workarounds in that thread but they’re a bit above my pay grade and i cant test them.

One of the simpler options to try

For now the “workaround” is to use “Switch user” button rather than provide password when the screensaver dialog

1 Like

Thanks a million! It does work! Without you, I wouldn’t have solved the issue.
For other people who’ll have the same issue, I’ll leave this instruction.

To run Yubikey in Challenge-response mode in KDE locked screen
It is IMPORTANT that the request for the key files is at the standard path /home/USERNAME/.yubico/challenge-11111111
And the command should look this: auth required pam_yubico.so mode=challenge-response

SETTING UP A KEY REQUEST WHEN LOGGING IN AFTER A LOCKED SESSION (KDE)
Command
sudo nano /etc/pam.d/kde
After
auth include system-login
Enter
auth required pam_yubico.so mode=challenge-response

How to setup other pam.d I described here: link

If you set up Yubikey using this instruction: instruction for Arch users
then to make the KDE lock screen work, just copy all the files challenge-11111111 into the folder /home/USERNAME/.yubico/. And if I’m not mistaken, you need to assign permissions to the files using the command chmod 600 challenge-11111111.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.