I tried to setup my YubiKey 5 NFC as a second factor for my login.
I used a combination of the following resources to achieve this:
In the end I ended up doing the following:
mkdir $HOME/.yubico ykpamcfg -2 - v sudo mkdir /var/yubico sudo chown root.root /var/yubico sudo chmod 700 /var/yubico sudo mv ~/.yubico/challenge-123456 /var/yubico/username-123456 sudo chown root.root /var/yubico/username-123456 sudo chmod 600 /var/yubico/username-123456
Then i added
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
After that changes I was able to login with both my YubiKey and my password in the login manager and in the virtual consoles. But when I try to login as root in the virtual consoles it now always says “incorrect login”. When I remove the YubiKey part from
/etc/pam.d/system-auth I can login as root again. sudo with my user still works after the changes if I have plugged in the YubiKey.
Can someone please tell me what I am missing or is this the intended behaviour?