In order to achieve two-factor authentication, I edited system-auth
, configured U2F using pam_u2f
as the main method and Yubico OTP using pam_yubico
as the backup method. However, I encountered several problems:
-
pam_yubico
will not work in the login screen (it works in SSH and tty), it will not ask me to authenticate with YubiKey, and it will always return a fail -
pam_u2f
will work, however, if I forgot to insert the U2F device at the time of login, thepam_faillock
will directly lock me out for one attempt, this is not expected since I configuredpam_faillock
to lock an account only after 3 unsuccessful attempts
This is how I configured the /etc/pam.d/system-auth
:
auth requisite pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=ok default=3] pam_unix.so try_first_pass nullok
auth [success=3 default=ignore] pam_u2f.so nouserok cue
auth [success=2 authinfo_unavail=2 ignore=2 default=ignore] pam_yubico.so id=<id> key=<key> info mode=client nullok
-auth [success=1 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.