No root login possible in virtual console after changes to /etc/pam.d/system-auth


I tried to setup my YubiKey 5 NFC as a second factor for my login.
I used a combination of the following resources to achieve this:

In the end I ended up doing the following:

mkdir $HOME/.yubico
ykpamcfg -2 - v

sudo mkdir /var/yubico
sudo chown root.root /var/yubico
sudo chmod 700 /var/yubico

sudo mv ~/.yubico/challenge-123456 /var/yubico/username-123456
sudo chown root.root /var/yubico/username-123456
sudo chmod 600 /var/yubico/username-123456

Then i added

auth required mode=challenge-response chalresp_path=/var/yubico


auth [success=2 default=ignore] try_first_pass nullok

in /etc/pam.d/system-auth

After that changes I was able to login with both my YubiKey and my password in the login manager and in the virtual consoles. But when I try to login as root in the virtual consoles it now always says “incorrect login”. When I remove the YubiKey part from /etc/pam.d/system-auth I can login as root again. sudo with my user still works after the changes if I have plugged in the YubiKey.

Can someone please tell me what I am missing or is this the intended behaviour?

Kind regards

Did you create authentications for root? I mean did you replay these steps on root account (and any other which you have in your system):

sudo su root
mkdir $HOME/.yubico
ykpamcfg -2 - v

mv ~/.yubico/challenge-123456 /var/yubico/root-123456
chown root.root /var/yubico/root-123456
chmod 600 /var/yubico/root-123456

Without that you shouldn’t be able login as root. It’s expected because you set pam_yubico required:

1 Like

Thanks, that’s probably it.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.