confs:yubikey

Yubikey

Auth 2FA Linux

Install pam U2F module 

$ sudo pacman -S pam-u2f

At this point, you can check whether your system recognizes the YubiKey: 

$ dmesg

Generate U2F config with pam2fcfg 

$ pamu2fcfg > ~/.config/Yubico/u2f_keys
$ chmod 440 ~/.config/Yubico/u2f_keys

Add following line into /etc/pam.d/system-auth (the order between this and pam_unix will determine if you have to type password or touch yubikey first) 

auth required pam_u2f.so

If you want to lock when you remove the yubikey, add the udev rules in /etc/udev/rules.d/45-yubikey.rules 

# get HID_ID with $ udevadm monitor --property
ACTION=="remove", ENV{HID_ID}=="0000:00000000:00000000", RUN+="/usr/bin/systemctl start --no-block i3lock.service"

Create the service unit 

[Unit]
Description=i3lock

[Service]
User=<username>
Type=forking
Environment=DISPLAY=:0
ExecStart=<command to lock>

Reload systemd units and udev rules 

sudo udevadm control --reload-rules && sudo udevadm trigger
sudo systemctl daemon-reload
  • confs/yubikey.txt
  • Last modified: 2024/10/14 20:59
  • by 127.0.0.1