Hello!
I recently followed the Using YubiKeys with Fedora documentation to configure my two Yubico keys to work with the following PAM modules:
- /etc/pam.d/sudo
- /etc/pam.d/sudo-i
- /etc/pam.d/sshd
Everything is working as expected: every time I try to use sudo, I am requested to press the button on my key, and then I am prompted by my fingerprint. The same is true for SSH, except that in this case, the system prompts for my password.
I tried to configure the same behavior for the login process without success. Currently, the system requests that I press the button on my key to log in without asking for my fingerprint or password, and I would like to have the two-step procedure configured as well.
I have configured the following files:
/etc/pam.d/yubikey-required
#%PAM-1.0
auth required pam_u2f.so
/etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth include yubikey-required
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
I am unsure if the gdm-password is the right PAM module to be configured, but this was my best guess.
Any help is welcome!