Arch Linux
October 7, 2022
The Yubikey as a Login device on local Arch Linux
1) Installing the PAM module
sudo pacman -S pam-u2f
2) Associating the U2F Key with Your Account
- Insert your U2F Key
- Run command below. When your device begins flashing, touch the metal contact to confirm the association.
HOST=$(cat /etc/hostname) pamu2fcfg -o pam://$HOST -i pam://$HOST > u2f_keys && sudo mkdir -vp /etc/Yubico && sudo mv -v u2f_keys /etc/Yubico
Note: Recommended specifying the actual hostname into the environment variableHOST. Keep in mind that in the command above, the actual hostname is picked from the file /etc/hostname.
3) Configuring the System to use the U2F Keys
Open the system-login file and add the following debug or release line to the top of the auth section.
sudo $EDITOR /etc/pam.d/system-login
auth sufficient pam_u2f.so debug debug_file=/var/log/pam_u2f.log authfile=/etc/Yubico/u2f_keys cue
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
- The reason that the
sufficientline is there is that if the u2f-key is messed up, then you'll be able to log on via password. - The option
cueis set to provide indication of what to do, i.e.Please touch the device.
Note: You can select another PAM-stack:
The /etc/pam.d/ path is exclusive for the PAM configuration to link the applications to the individual systems' authentication schemes. The different configuration files of the base installation link together and are stacked during runtime. For example, on a local user logon, the login application sources the system-local-login policy, which in turn sources others:/etc/pam.d/ ---------------------------------------------------------- login -> system-local-login -> system-login -> system-auth
Source: https://wiki.archlinux.org/title/PAM