[question] yubikey bio series support

[ghost]

will this pam module support yubikey bio keys in the future?

from what i understand this module only supports otp yubikeys and the yubikey bio is not one of them (yet?).

[Gadgetoid]

Challenge-response support doesn't look promising for Bio?

pam-u2f works- detailed here: https://developers.yubico.com/pam-u2f/ (:warning: read up and know what you're doing before following my balmy instructions, a botched pam config will lock you out and /etc/u2f_mappings is not readable from an encrypted drive.)

These steps worked for me on Linux Mint.

Install and create mapping for your user:

sudo apt install libpam-u2f
pamu2fcfg -uYOURUSERNAME | sudo tee -a /etc/u2f_mappings

Edit the pam config:

sudo nano /etc/pam.d/common-auth

Add:

auth    sufficient                      pam_u2f.so authfile=/etc/u2f_mappings

Right after:

# here are the per-package modules (the "Primary" block)

Pop a new shell and run "sudo ls" to test. Practise touching the key in just the right way. 3 failed attempts will cause a lockout and you'll have to fire up Yubico Authenticator to unblock. This seems an odd design choice... I guess you can bruteforce a fingerprint.

I think "sufficient" is... sufficient. I have my 5Ci set up with pam-u2f, too, but anyone can touch that and log right in to my computer if I leave it plugged in.

[ghost]

thanks @Gadgetoid ! because you helped me i was able to make it work with sudo, login, sddm, and kde login

[Gadgetoid]

No worries- you might also find this interesting, though I had to modify a fair bit to work with my setup: https://gist.github.com/seanlinmt/2530b60e108a0d60d0faed4277e86595