Hello, everyone!
For several weeks I’ve been struggling with how to properly configure Manjaro so that to log in it was necessary to enter both the password and Yubikey with Challenge response mode (2FA). I searched the whole Internet, but there is nothing at all for Manjaro. I tried each tutorial for Arch and other distros, nothing worked. Tried all standard and non-standard instructions, nothing works. The maximum that I managed to achieve is that after rebooting the system requires Yubikey, but if you block the session, then you can not go back in because the error “wrong password”.
Maybe someone faced with the same issue?
Here’s the contents of my ‘system-auth’:
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
# Doesn't work here
-auth [success=1 default=ignore] pam_systemd_home.so
# Doesn't work here
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow sha512
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
# It works here but only for login after restart
Hello and welcome.
I use a solokey and not a yubi but i used this guide to add it to my log in (and some other bits):
Please note:>
A note of warning : You can get really locked out of your system if you do not do this the right way. If that happens, then boot your system in recovery mode or (single mode) and then revert your changes.
Worth a read as i found it explained what was happening.
I dont know what is different on your yubi but i type my password then touch my solo button to log in.
There is a section on it in the article i linked but you may need to use the /etc/pam.d/sddm file instead of the two example files shown (if you use sddm).
That’s everything I found about adding Yubikey with challenge-response to Manjaro
But I still can’t cope with KDE Lock screen)
Don’t forget to change the path of you CR files. For me it is “/var/yubico”, by default you shouldn’t type this part of command “chalresp_path=/var/yubico”.
SETTING UP THE YUBIKEY PROMPT WHEN LOGGING IN IMMEDIATELY AFTER BOOT (SDDM)
Command sudo nano /etc/pam.d/sddm
And at the very top enter (it will also work if you put it after auth include system-auth) auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
CONFIGURING THE SYSTEM WITH YUBIKEY REQUEST FOR ALL SUDO COMMANDS
Command sudo nano /etc/pam.d/sudo
After auth include system-auth
Enter auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
SETTING UP THE SYSTEM’S CLASS REQUEST FOR ALL POLICYKIT-1 REQUIREMENTS
Command sudo nano /etc/pam.d/polkit-1
After auth include system-auth
Enter auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
SETTING UP YUBIKEY FOR TERMINAL TTY
Command sudo nano /etc/pam.d/login
After auth include system-local-login
Enter auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
My keys are stored in elsewhere so i dont have exactly the same.
I do notice that my /etc/pam.d/sddm is in the same order as your other pam.d and not at the top
#%PAM-1.0
auth include system-login
auth required pam_u2f.so
Does your system require Solokey to login after manual lock? I mean, did you modified your /etc/pam.d/kde to work with pam_u2f.so? And if you did, could you share where exactly you put auth required pam_u2f.so?
Thanks for your help.
I tried the same but with Challenge-response mode and it just doesn’t work.
#%PAM-1.0
auth include system-login
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
account include system-login
password include system-login
session include system-login
Not sure if this is the cause or if it ever got fixed.
There are a couple of workarounds in that thread but they’re a bit above my pay grade and i cant test them.
One of the simpler options to try
For now the “workaround” is to use “Switch user” button rather than provide password when the screensaver dialog
Thanks a million! It does work! Without you, I wouldn’t have solved the issue.
For other people who’ll have the same issue, I’ll leave this instruction.
To run Yubikey in Challenge-response mode in KDE locked screen
It is IMPORTANT that the request for the key files is at the standard path /home/USERNAME/.yubico/challenge-11111111
And the command should look this: auth required pam_yubico.so mode=challenge-response
SETTING UP A KEY REQUEST WHEN LOGGING IN AFTER A LOCKED SESSION (KDE)
Command sudo nano /etc/pam.d/kde
After auth include system-login
Enter auth required pam_yubico.so mode=challenge-response
If you set up Yubikey using this instruction: instruction for Arch users
then to make the KDE lock screen work, just copy all the files challenge-11111111 into the folder /home/USERNAME/.yubico/. And if I’m not mistaken, you need to assign permissions to the files using the command chmod 600 challenge-11111111.