System Authentication with Yubikey

I everyone,

I recently got myself a Yubikey since I like all the possibilities it offers to increase security. I read that you can use the Yubikey as a second factor for system authentication. So basically if you want to login into your user account or use the sudo command you not only need to provide a passphrase but also have to touch the connected Yubikey.

I wanted to set this up and most Arch related instructions boil down to this: Tutorial

So I edited my /etc/pam.d/system-auth and added the line as described in the Tutorial:


auth       required                preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       required                  mode=challenge-response chalresp_path=/var/yubico
auth       [success=2 default=ignore]          try_first_pass nullok
-auth      [success=1 default=ignore]
auth       [default=die]           authfail
auth       optional          
auth       required          
auth       required                authsucc
# If you drop the above call to the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]
account    required          
account    optional          
account    required          

-password  [success=1 default=ignore]
password   required                    try_first_pass nullok shadow
password   optional          

session    required          
session    required          
session    optional          

Unfortunately there seems to be something incorrect with this, since my Yubikey only lights up once after making the change and even then after a failed authentication attempt I can login with only the password again.

I would be really grateful for anyone that can provide an insight into whats wrong here or point me in the right direction!

Did you look at the ArchWiki article?

Sure but I was unable to identify anything in there that relates to my problem.

As far as I understand it there is just somthing wrong with the /etc/pam.d/system-auth file, since all the magic is supposed to happen there. The configuration of the hardware key itself made no problems at all.

This too?

1 Like

Thank you, thanks to your link I actually found my mistake! I confused the challenge-response HMAC-SHA1-mode with the U2F mode! When using the a pam command starting with ‘auth required’ with challenge-response you just need the Yubikey attached to the PC to pass the authentication challenge, you don’t need to touch it. The U2F mode is what I was actually looking for and with the instructions provided was able to set it up!

Edit: For everyone who wants more information look here!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.