System Authentication with Yubikey

anon80505238 · 24 October 2020 12:50

I everyone,

I recently got myself a Yubikey since I like all the possibilities it offers to increase security. I read that you can use the Yubikey as a second factor for system authentication. So basically if you want to login into your user account or use the sudo command you not only need to provide a passphrase but also have to touch the connected Yubikey.

I wanted to set this up and most Arch related instructions boil down to this: Tutorial

So I edited my /etc/pam.d/system-auth and added the line as described in the Tutorial:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       required                    pam_yubico.so        mode=challenge-response chalresp_path=/var/yubico
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Unfortunately there seems to be something incorrect with this, since my Yubikey only lights up once after making the change and even then after a failed authentication attempt I can login with only the password again.

I would be really grateful for anyone that can provide an insight into whats wrong here or point me in the right direction!

merlock · 24 October 2020 13:41

Did you look at the ArchWiki article?

anon80505238 · 24 October 2020 13:43

Sure but I was unable to identify anything in there that relates to my problem.

As far as I understand it there is just somthing wrong with the /etc/pam.d/system-auth file, since all the magic is supposed to happen there. The configuration of the hardware key itself made no problems at all.

merlock · 24 October 2020 13:47

This too?

anon80505238 · 24 October 2020 15:08

Thank you, thanks to your link I actually found my mistake! I confused the challenge-response HMAC-SHA1-mode with the U2F mode! When using the a pam command starting with ‘auth required’ with challenge-response you just need the Yubikey attached to the PC to pass the authentication challenge, you don’t need to touch it. The U2F mode is what I was actually looking for and with the instructions provided was able to set it up!

Edit: For everyone who wants more information look here!

system · 8 November 2020 15:08

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.