Goal: enable passwordless authentication for our logins as well privilege escalations (sudo). Alternatively, you can swap out the "sufficient" in the PAM-file edits to "required" to require your Yubikey on top of your password.
⚠️ Messing around in PAM files is hazardous, especially when going the "require" route: Be sure, to not lock yourself out (keep a failsafe terminal at the ready and use 2 yubikeys if you want to require the usage of a Yubikey)!
Note: this should also work with other WebAuthn capable devices, but I haven't been able to test this
sudo dnf install -y pam_yubico
mkdir -p ~/.config/Yubico
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys # should lit up your yubikey (request for PIN) and user-presence
# repeat the above command for each yubikey, highly recommend having >= 2 if you use "required" later-on for MFA instead of "sufficient"First open a new terminal window as a fail-safe and escalate it to root:
sudo -iIn a regular terminal window (not the fail-safe) edit the first PAM file.
sudo vim /etc/pam.d/sudoTo contain the following content:
Note the use of "sufficient"
Which means that if a Yubikey is detected, it will prompt (cue) for it and if authenticated succesfully, ignore the remaining auth options (hence the sufficient).
#%PAM-1.0
# THE LINE BELOW IS THE ONLY EDITED ONE
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
# THE LINE ABOVE IS THE ONLY EDITED ONE
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
sudo vim /etc/pam.d/gdm-passwordAgain only one line is added for the Yubikey (sufficient), I'd only recommend "required" (mfa) if you have a spare Yubikey configured.
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
sudo vim /etc/pam.d/login#%PAM-1.0
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
sudo vim /etc/pam.d/sudo#%PAM-1.0
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
... I think you get the point :) and this (afaik) should cover the logins/privilege escalations on a regular workmachine