I am setting up my YubiKeys with this fedora magazine guide. I have so far done it so that sudo requires a touch and password. This is great.
However, all it does require is a touch of the key. Which is on the machine. Not sure secure really. I would like to enter the PIN every time I have to touch the key.
How do I do this?
A bonus question would be to add a nice message asking me to touch the YubiKey and enter pin. At the moment, nothing happens. Which is fine really as I know, but it should be possible, no?
√ ; cat /etc/pam.d/sudo
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /etc/pam.d/sudo
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ #%PAM-1.0
2 │ auth required pam_yubico.so mode=challenge-response
3 │ auth include system-auth
4 │ account include system-auth
5 │ password include system-auth
6 │ session optional pam_keyinit.so revoke
7 │ session required pam_limits.so
8 │ session include system-auth
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────