I recently got myself a Yubikey since I like all the possibilities it offers to increase security. I read that you can use the Yubikey as a second factor for system authentication. So basically if you want to login into your user account or use the sudo command you not only need to provide a passphrase but also have to touch the connected Yubikey.
I wanted to set this up and most Arch related instructions boil down to this: Tutorial
So I edited my /etc/pam.d/system-auth and added the line as described in the Tutorial:
#%PAM-1.0 auth required pam_faillock.so preauth # Optionally use requisite above if you do not want to prompt for the password # on locked accounts. auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico auth [success=2 default=ignore] pam_unix.so try_first_pass nullok -auth [success=1 default=ignore] pam_systemd_home.so auth [default=die] pam_faillock.so authfail auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc # If you drop the above call to pam_faillock.so the lock will be done also # on non-consecutive authentication failures. -account [success=1 default=ignore] pam_systemd_home.so account required pam_unix.so account optional pam_permit.so account required pam_time.so -password [success=1 default=ignore] pam_systemd_home.so password required pam_unix.so try_first_pass nullok shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_permit.so
Unfortunately there seems to be something incorrect with this, since my Yubikey only lights up once after making the change and even then after a failed authentication attempt I can login with only the password again.
I would be really grateful for anyone that can provide an insight into whats wrong here or point me in the right direction!