How to require a Yubikey for login, Gnome prompts, YaSt prompts, etc.?

I’ve configured my system to require my Yubikey for sudo; now I would like to add it to all other authentication paths, if possible. I’m starting with login because… well… I need to start somewhere. :smile:

On Debian, the official instructions worked well and there were no issues. However, on my fresh Tumbleweed install I can’t get it to work - and I searched far and wide for a solution.

Here’s my configuration:

  • I added my two Yubikeys to /etc/Yubico/u2f_keys, both for the current user and root
  • I copied the required configuration files from /usr/lib/pam.d to /etc/pam.d, where I edit them
  • for sudo, this is the line I added below auth include common-auth, which works fine: auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
  • In the case of login, the common-auth line is different: auth substack common-auth. I added my line below, which did not work. Then I changed substack to include, which also did not work. So I reverted back to substack
  • I wasn’t sure if login was the correct file to edit, so I tried gdm, which also did not work

In desperation, I tried what I understand is not recommended: I removed the symlink from common-auth to common-auth-pc and edited common-auth directly, instead of sudo or login. This actually worked (near-)perfectly for all authentication paths and popups I came across - the only issue was that I could only log in when on my home wifi. The moment I was on a different wifi or no wifi, I could not log in at all anymore. Such a weird side effect. :laughing:
I undid those changes again and common-auth points to common-auth-pc again.

I would really appreciate some pointers, since I have put waaaay too much time into this already and am about to give up. :frowning_face:

You forgot to tell which files and to show your changes.

I started with sudo → works.
Then login → didn’t get it to work.
Then gdm (which I thought might be required for the login window) → didn’t get it to work.

Eventually I would like to copy over and adapt all config files that make sense. It’s a laptop that does not require any ssh, remote login or anything else aside from logging in as a user and doing office work. I found all these configuration files in /usr/lib/pam.d (but don’t know yet if they all make sense): chage chfn chpasswd chsh cups gnomesu-pam passwd polkit-1 ppp remote screen sshd su sudo-i su-l vlock vnc xdm xscreensaver.

Sorry, missed that.

Regarding sudo (which works well), I changed this:

#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session-nonlogin
# session  optional       pam_xauth.so

… to this:

#%PAM-1.0
auth     include        common-auth
auth     required       pam_u2f.so  authfile=/etc/Yubico/u2f_keys  cue
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session-nonlogin
# session  optional       pam_xauth.so

Regarding login (which does not work), I changed this:

#%PAM-1.0
auth      requisite  pam_nologin.so
auth      substack   common-auth
auth      include    postlogin-auth
account   substack   common-account
account   include    postlogin-account
password  substack   common-password
password  include    postlogin-password
session   required   pam_loginuid.so
session   optional   pam_keyinit.so force revoke
session   substack   common-session
session   include    postlogin-session
session   optional   pam_motd.so
session   optional   pam_mail.so standard

… to this:

#%PAM-1.0
auth      requisite  pam_nologin.so
auth      substack   common-auth
auth      required   pam_u2f.so  authfile=/etc/Yubico/u2f_keys  cue
auth      include    postlogin-auth
account   substack   common-account
account   include    postlogin-account
password  substack   common-password
password  include    postlogin-password
session   required   pam_loginuid.so
session   optional   pam_keyinit.so force revoke
session   substack   common-session
session   include    postlogin-session
session   optional   pam_motd.so
session   optional   pam_mail.so standard

… then I also tried changing substack to include like so:

#%PAM-1.0
auth      requisite  pam_nologin.so
auth      include    common-auth
auth      required   pam_u2f.so  authfile=/etc/Yubico/u2f_keys  cue
auth      include    postlogin-auth
account   substack   common-account
account   include    postlogin-account
password  substack   common-password
password  include    postlogin-password
session   required   pam_loginuid.so
session   optional   pam_keyinit.so force revoke
session   substack   common-session
session   include    postlogin-session
session   optional   pam_motd.so
session   optional   pam_mail.so standard

… which also did not work.

Anything else I could/should post here?

I wrote a short gist on it:

Yes. Explain what “does not work” mean and show your /etc/pam.d/common-auth.

Yes, I’ve seen that and it has been helpful.

When logging in using the Gnome login screen, I would like a password AND a Yubikey to be required. With sudo, I managed to set that up - also thanks to your gist @pavinjoseph. But I can’t manage to set that up for the login screen - a password is enough to log in, the Yubikey does not have to be plugged in.

Here’s my /etc/pam.d/common-auth:

auth    required        pam_env.so      
auth    optional        pam_gnome_keyring.so    only_if=gdm,gdm-password,lxdm,lightdm,mdm,sddm
auth    required        pam_unix.so     try_first_pass

What makes you think GNOME login screen is using login PAM service? You are authenticated by Display Manager, assuming gdm, it most certainly does not. It currently supports several authentication methods - password, smartcard, fingerprint reader. I am not sure where Yubikey best fits in, but assuming that it needs (to provide) user feedback it is probably password.

If you are using different Display Manager, tell which one.

Don’t edit common-* files directly. zypper dup calling pam-config would complain.
Try editing /etc/pam.d/gdm-password. The template is available in /usr/lib/pam.d/gdm-password. For example, updating the gist for your use case it could be:

#%PAM-1.0
# GDM PAM standard configuration (with passwords)
auth     requisite      pam_nologin.so
auth     required       pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue
auth     substack       common-auth
auth     include        postlogin-auth
account  substack       common-account
account  include        postlogin-account
password substack       common-password
password include        postlogin-password
session  required       pam_loginuid.so
session  optional       pam_keyinit.so force revoke
session  substack       common-session
session  include        postlogin-session

I use passwordless authentication with PIN + Yubikey presence for gdm lock screen but never tried it with login screen as I use FDE + gdm autologin.

It works now, thank you @arvidjaar and @pavinjoseph !

I didn’t (aside from a test case). I have read your warnings about that both in your gist and here in the forums. :slight_smile:

I believe I read that somewhere. I had tried editing gdm, which did not work. I did not know gdm-password would be the correct file.

Which brings me to the question: where can I read up on what the various templates in /usr/lib/pam.d are for? I would be interested in finding out what login and the other templates are for and if there is sense in adding my Yubikey to any of them.

They are not templates. They are PAM configuration files. Any application is free to use any PAM service it likes, so I doubt there is any authoritative registry. You can check which packages own these files and try documentation for respective applications. But more often than not you need to resort to the source code.

Someone needs to invest time in maintaining such registry. It does not appear all by itself.

login is used by /usr/bin/login when doing local logins. It may also be used by other programs offering similar functionality (like kerberized login).

Thank you again for the explanations @arvidjaar .

After using this setup for a few days, a new issue/question appeared. I have set up a limited user account on a laptop, for the children to play Minecraft. Of course, now that login also requires a Yubikey. Is there a way to make this settings account-specific? My account should require a Yubikey, the children’s account should not.

One possibility is to use substack together with pam_succeed_if module. Create additional file, like /etc/pam.d/yubikey with the content

auth     sufficient     pam_succeed_if.so user = user-without-Yubikey
auth     required       pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue

and use

auth     substack yubikey

instead of pam_u2f.so directly in gdm-password. The effect is that if user matches pam_succeed_if condition substack is immediately terminated without trying further modules in this configuration file and proceeds with the modules after substack line.

There are other options (like explicitly skipping several lines in PAM configuration file) but IMHO they are too error prone. Substack looks like the most clean option.

Read man pam_succeed_if for details.

This is fantastic and works flawlessly, thank you!

One hopefully last question on top: if I want to allow several users (children) without yubikey, do I follow my (quite possibly incorrect) understanding of man pam_succeed_if, like so:

auth sufficient pam_succeed_if.so user in child1:child2

… or do I add a separate line for each one, e.g.:

auth     sufficient     pam_succeed_if.so user = child1
auth     sufficient     pam_succeed_if.so user = child2

Both will work. The first is probably slightly more efficient.

1 Like

Thank you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.