I’ve configured my system to require my Yubikey for sudo; now I would like to add it to all other authentication paths, if possible. I’m starting with login because… well… I need to start somewhere.
On Debian, the official instructions worked well and there were no issues. However, on my fresh Tumbleweed install I can’t get it to work - and I searched far and wide for a solution.
Here’s my configuration:
I added my two Yubikeys to /etc/Yubico/u2f_keys, both for the current user and root
I copied the required configuration files from /usr/lib/pam.d to /etc/pam.d, where I edit them
for sudo, this is the line I added below auth include common-auth, which works fine: auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
In the case of login, the common-auth line is different: auth substack common-auth. I added my line below, which did not work. Then I changed substack to include, which also did not work. So I reverted back to substack
I wasn’t sure if login was the correct file to edit, so I tried gdm, which also did not work
In desperation, I tried what I understand is not recommended: I removed the symlink from common-auth to common-auth-pc and edited common-auth directly, instead of sudo or login. This actually worked (near-)perfectly for all authentication paths and popups I came across - the only issue was that I could only log in when on my home wifi. The moment I was on a different wifi or no wifi, I could not log in at all anymore. Such a weird side effect.
I undid those changes again and common-auth points to common-auth-pc again.
I would really appreciate some pointers, since I have put waaaay too much time into this already and am about to give up.
I started with sudo → works.
Then login → didn’t get it to work.
Then gdm (which I thought might be required for the login window) → didn’t get it to work.
Eventually I would like to copy over and adapt all config files that make sense. It’s a laptop that does not require any ssh, remote login or anything else aside from logging in as a user and doing office work. I found all these configuration files in /usr/lib/pam.d (but don’t know yet if they all make sense): chage chfn chpasswd chsh cups gnomesu-pam passwd polkit-1 ppp remote screen sshd su sudo-i su-l vlock vnc xdm xscreensaver.
When logging in using the Gnome login screen, I would like a password AND a Yubikey to be required. With sudo, I managed to set that up - also thanks to your gist @pavinjoseph. But I can’t manage to set that up for the login screen - a password is enough to log in, the Yubikey does not have to be plugged in.
What makes you think GNOME login screen is using login PAM service? You are authenticated by Display Manager, assuming gdm, it most certainly does not. It currently supports several authentication methods - password, smartcard, fingerprint reader. I am not sure where Yubikey best fits in, but assuming that it needs (to provide) user feedback it is probably password.
If you are using different Display Manager, tell which one.
Don’t edit common-* files directly. zypper dup calling pam-config would complain.
Try editing /etc/pam.d/gdm-password. The template is available in /usr/lib/pam.d/gdm-password. For example, updating the gist for your use case it could be:
#%PAM-1.0
# GDM PAM standard configuration (with passwords)
auth requisite pam_nologin.so
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth substack common-auth
auth include postlogin-auth
account substack common-account
account include postlogin-account
password substack common-password
password include postlogin-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session substack common-session
session include postlogin-session
I use passwordless authentication with PIN + Yubikey presence for gdm lock screen but never tried it with login screen as I use FDE + gdm autologin.
I didn’t (aside from a test case). I have read your warnings about that both in your gist and here in the forums.
I believe I read that somewhere. I had tried editing gdm, which did not work. I did not know gdm-password would be the correct file.
Which brings me to the question: where can I read up on what the various templates in /usr/lib/pam.d are for? I would be interested in finding out what login and the other templates are for and if there is sense in adding my Yubikey to any of them.
They are not templates. They are PAM configuration files. Any application is free to use any PAM service it likes, so I doubt there is any authoritative registry. You can check which packages own these files and try documentation for respective applications. But more often than not you need to resort to the source code.
Someone needs to invest time in maintaining such registry. It does not appear all by itself.
login is used by /usr/bin/login when doing local logins. It may also be used by other programs offering similar functionality (like kerberized login).
After using this setup for a few days, a new issue/question appeared. I have set up a limited user account on a laptop, for the children to play Minecraft. Of course, now that login also requires a Yubikey. Is there a way to make this settings account-specific? My account should require a Yubikey, the children’s account should not.
instead of pam_u2f.so directly in gdm-password. The effect is that if user matches pam_succeed_if condition substack is immediately terminated without trying further modules in this configuration file and proceeds with the modules after substack line.
There are other options (like explicitly skipping several lines in PAM configuration file) but IMHO they are too error prone. Substack looks like the most clean option.
This is fantastic and works flawlessly, thank you!
One hopefully last question on top: if I want to allow several users (children) without yubikey, do I follow my (quite possibly incorrect) understanding of man pam_succeed_if, like so:
auth sufficient pam_succeed_if.so user in child1:child2
… or do I add a separate line for each one, e.g.:
auth sufficient pam_succeed_if.so user = child1
auth sufficient pam_succeed_if.so user = child2