Secure your local login with yubikeys

hello all

just returned from hacker summer camp and have acquired a couple of new yubikeys specifically the four and the four nano and have been configuring them in my gentoo install just for login.

below are the steps to set this up in gentoo and pam for required authentication. this article assumes that you have already configured your yubikeys so i will not go through how to config them.

the first bunch of packages that we have to install :

[I] sys-auth/pam_u2f
     Available versions:  (~)1.0.4 {debug}
     Installed versions:  1.0.4(03:25:01 PM 08/10/2016)(-debug)
     Homepage:            https://github.com/Yubico/pam-u2f
     Description:         Library for authenticating against PAM with a Yubikey

[I] sys-auth/pam_yubico
     Available versions:  (~)2.17-r1 (~)2.19-r1 {ldap test}
     Installed versions:  2.19-r1(02:36:23 PM 08/10/2016)(-ldap -test)
     Homepage:            https://github.com/Yubico/yubico-pam
     Description:         Library for authenticating against PAM with a Yubikey

so the emerge line would be sudo emerge -av pam_u2f pam_yubico

once that is installed we are going to create /etc/pam.d/yubico with the contents of :
auth required pam_u2f.so cue interactive

and now we need to create the u2f_keys file under ${HOME}/.config/Yubico using the pamu2cfg utility:
sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

double check this file if you are putting in more than one entry to ensure that each line is separate.

once this is done, we are going edit bot /etc/pam.d/login and /etc/pam.d/passwd and add to both the line:
auth include yubico

once everything is saved, lets test it by pressing alt + ctrl + f2 — this will open a new session without logging you out.

and bam. fully set up.