sudo zypper install yubikey-manager pam_u2f
ykman info
ykman fido info
sudo mkdir -p /etc/Yubico
echo `pamu2fcfg -N` | sudo tee -a /etc/Yubico/u2f_keys
See man 1 pamu2fcfg
for more details.
Repeat the pamu2fcfg
key generation process for other users such as root
.
This would enable passwordless authentication for specific services using FIDO2 PIN and confirms user's presence.
Perform this only as root, otherwise you may be locked out.
Refer:
man 5 pam.conf
andman 8 pam-config
for more details. Default pam config files can be found in/usr/lib/pam.d
directory.
nano /etc/pam.d/gdm-password
#%PAM-1.0
# GDM PAM standard configuration (with passwords)
auth requisite pam_nologin.so
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth substack common-auth
auth include postlogin-auth
account substack common-account
account include postlogin-account
password substack common-password
password include postlogin-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session substack common-session
session include postlogin-session
nano /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so revoke
session include common-session-nonlogin
# session optional pam_xauth.so
nano /etc/pam.d/sudo-i
#%PAM-1.0
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
# session optional pam_xauth.so
- Open new terminal and test using
sudo <cmd>
- Open new terminal and test using
sudo -i
- Open new graphical tty and check lockscreen enable/disable
This would enable passwordless authentication using FIDO2 PIN and confirms user's presence.
This is not recommended as it cuts pam-config
out of the picture which can cause rpm scripts that call pam-config
to return an error.
This is especially problematic when using transaction-update
(TU) to perform distribution upgrade, as TU would discard the whole update if even a single operation returns non-zero exit code.
Perform this only as root, otherwise you may be locked out.
Check if pam-config
manages /etc/pam.d/common-auth
by checking if it's a symlink:
readlink /etc/pam.d/common-auth
If it's a symlink, do:
rm /etc/pam.d/common-auth
Create file /etc/pam.d/common-auth
with following contents:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth optional pam_gnome_keyring.so
auth required pam_unix.so try_first_pass
Check /etc/pam.d/common-auth-pc
to arrive at the aforementioned contents.
See man 5 pam.conf
for more details.
Open new terminal and test using sudo <cmd>