Arch Linux
October 7, 2022

The Yubikey as a Login device on local Arch Linux

1) Installing the PAM module

sudo pacman -S pam-u2f

2) Associating the U2F Key with Your Account

  • Insert your U2F Key
  • Run command below. When your device begins flashing, touch the metal contact to confirm the association.
HOST=$(cat /etc/hostname) pamu2fcfg -o pam://$HOST -i pam://$HOST > u2f_keys && sudo mkdir -vp /etc/Yubico && sudo mv -v u2f_keys /etc/Yubico

Note: Recommended specifying the actual hostname into the environment variableHOST. Keep in mind that in the command above, the actual hostname is picked from the file /etc/hostname.


3) Configuring the System to use the U2F Keys

Open the system-login file and add the following debug or release line to the top of the auth section.

sudo $EDITOR /etc/pam.d/system-login

MODE: Debug

auth  sufficient  pam_u2f.so  debug debug_file=/var/log/pam_u2f.log authfile=/etc/Yubico/u2f_keys cue

MODE: Release

auth  sufficient  pam_u2f.so  authfile=/etc/Yubico/u2f_keys cue

Notes:

  • The reason that the sufficient line is there is that if the u2f-key is messed up, then you'll be able to log on via password.
  • The option cue is set to provide indication of what to do, i.e. Please touch the device.
An example of the content of `system-login` with a release line.

Note: You can select another PAM-stack:

The /etc/pam.d/ path is exclusive for the PAM configuration to link the applications to the individual systems' authentication schemes.
The different configuration files of the base installation link together and are stacked during runtime. For example, on a local user logon, the login application sources the system-local-login policy, which in turn sources others:
/etc/pam.d/
----------------------------------------------------------
login -> system-local-login -> system-login -> system-auth

Source: https://wiki.archlinux.org/title/PAM


4) Reboot the computer or exit from your session.

5) When the login screen is loaded, it should ask you to touch the device.


References

  1. https://wiki.archlinux.org/title/PAM
  2. https://wiki.archlinux.org/title/Universal_2nd_Factor
  3. https://wiki.archlinux.org/title/YubiKey#Linux_user_authentication_with_PAM
  4. https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F
  5. https://jamesthebard.net/archlinux-and-u2f-login/