Universal 2nd Factor
For all articles on U2F and U2F-devices see: Category:Universal 2nd Factor.
Authentication for websites
Authentication for Arch Linux
Yubico, the company creating the YubiKey, develops an U2F PAM module. It can be used to act as a second factor during login or replace the need for a password entirely.
Installing the PAM module
The module is part of the package.
Adding a key
Keys need to be added with the tool
$ mkdir ~/.config/Yubico $ pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
Click the button of your U2F key to confirm the key.
hostnamewith the actual hostname.
If you own multiple keys, append them with
$ pamu2fcfg -o pam://hostname -i pam://hostname -n >> ~/.config/Yubico/u2f_keys
sudo -s). This way you can revert any changes if something goes wrong.
/etc/pam.d/sudo and add
auth sufficient pam_u2f.so origin=pam://hostname appid=pam://hostname
as the first line. Be sure to replace the
hostname as mentioned above. Then create a new terminal and type
sudo ls. Your key's LED should flash and after clicking it the command is executed.
/etc/pam.d/gdm-password and add
auth required pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname
after the existing
auth lines. Please note the use of the
nouserok option which allows the rule to fail if the user did not configure a key. This way setups with multiple users where only some of them use a U2F key are supported.
u2f_keysfile is unavailable. In this case use a central mapping file as explained in the official documentation of pam-u2f.
Other authentication methods
Enable the PAM module for other services like explained above. For example, to secure the screensaver of Cinnamon, edit
If you managed to lock yourself out of the system, boot into recovery mode or from a USB pen drive. Then revert the changes in the PAM config and reboot.