Hey there so im following the wiki on fedoraproject.org for installing both of my yubikeys as sufficient login credentials/pathways. First off even opening this browser (Firefox) required a push on both of my yubikeys. First question would be if one or none of my yubikeys are plugged in would this be the case for every opening of files/browsers/etc?
heres the exact commands I followed per the wiki.
sudo dnf install pam_yubico
sudo nano /etc/pam.d.login
once inside nano above the line auth substack system+auth I inserted the following
auth sufficent pam_yubico.so debug id=1
authfile=/etc/yubikeys
next i opened a new nano editor screen by doing:
sudo nano /etc/yubikeys
now here is where it started talking about mappings. im still very new to fedora and linux in general so i was a bit confused but followed the instructions as it said by doing
userid:ccccccxx…(tapped the yubikey got a ccccc beggining code. i did the same with my other yubikey hoping one would be a backup not neccessarily requiring both.)
next i saw the disclaimer about SELinux on the enforcing mode needing to be adjusted so then in a new window I did:
sudo setsebool -P allow_ypbind=1
then:
chcon -R system_u:object_r:ssh_home_t:s0/root/.yubico
heres where I got an error message cpied and pasted below, well what i can tell at least are the relevant parts by using --help
Usage: chcon [OPTION]… CONTEXT FILE…
or: chcon [OPTION]… [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE…
or: chcon [OPTION]… --reference=RFILE FILE…
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
I’m not sure where to go from here so any input would be helpful, I’m again asking if by doing what I did above I made it to where either one of my yubikeys are enough for logging in.
if any yubikey is required at all by the above commands.
will I need to now tap my yubikey to even open a browser? (both are plugged in i had to tap both to use this browser)
ultimately I want to be able to require only one of my yubikeys and have my 5C as a backup, preferably not needed to open browsers, files, general things once im inside my system although if thats a pain im find leaving it as is and having to tap one, not two of my yubikeys to get into things moving forward. Also, I’m debating if I should leave it as sufficient or change to required, whats the point of the keys if there not required is my train of thought. Although im open to suggestions to all of this being so new. I’m not even closing my nano tabs or the other Konsole window because I dont want to fuck things up beyond repair. First time inside a nano window at all so idk if i just close them once complete? either way im leaving everything as is and open right now until I get some feedback. thanks for any input. Im working through linuxcommands.org on my off days and after work but im literally 5 pages deep so when I say new I mean NEW. Thank god for this site to ask for help.