I went for something slightly different for /etc/pam.d/common-auth, and thought it might help some other folks too (I commented out the defaults just in case I wanted to go back to them).
Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
# auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=done new_authtok_reqd=done default=ignore] pam_yubico.so mode=challenge-response
auth sufficient pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
# here's the fallback if no module succeeds
# auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
For my particular needs I went with "sufficient" for the challenge-response and password, instead of requiring just the Yubikey or both the Yubikey and the password. The reason being I wanted the option of using the Yubikey to speed things up, but being able to fallback to my password if need be. So if the challenge-response succeeds, the password isn't necessary (what I read to muddle through that:
https://linux.die.net/man/5/pam.d).
You can also set it up to work with two different Yubikeys by running ykpamcfg -2 -v twice. I don't know for sure that you need to set them up with the same exact settings, but I was using the "Program Multiple Yubikeys" option to create a backup. So that may be something to keep in mind.
I do know that even if you duplicate all the settings across two different Yubikeys, you still need to run ykpamcfg -2 -v again, and then you'll have two challenge files in your ~/.yubico/ directory. So do *not* assume that if you programmed multiple Yubikeys that both will be able to authenticate via the same ~/.yubico/ challenge file. The advice in the documentation to keep a root terminal open until you're absolutely sure it's working is very advisable.
Interesting sidenote, if you have the above alternative setup, where either your password or your Yubikey can log you in, then all you need to do when the Yubikey is plugged in to unlock the screensaver is hit enter.
However, the sudo vi /etc/udev/rules.d/85-yubikey.rules bit still confuses me. Where/how are people looking up what exact *.yubikey-rules to use for their system? I've seen FAQs and documentation that uses 69, 70, 85, 99... with no clear explanation of how anyone found out which one they're supposed to use/create. Is it related to your udev version? Your OS? Your Yubikey? All of the above?
Login
FAQ
Search
