Enable Yubikey Authentication

[vunnyso]

Description of changes

This patch enables Yubikey authentication for ghaf gui-vm. We are doing Yubikey passthrough from ghaf-host to gui-vm. Currently Yubikey Authentication supported with screen locker (gtklock) and sudo command in pam sufficient mode means either password or tap on device is enough for authentication.

Checklist for things done

• [x] Summary of the proposed changes in the PR description
• [x] More detailed description in the commit message(s)
• [x] Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• [x] Contribution guidelines followed
• [ ] Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• [ ] PR linked to architecture documentation and requirement(s) (ticket id)
• [x] Test procedure described (or includes tests). Select one or more:
  • [x] Tested on Lenovo X1 x86_64
  • [ ] Tested on Jetson Orin NX or AGX aarch64
  • [ ] Tested on Polarfire riscv64
• [ ] Author has run nix flake check --accept-flake-config and it passes
• [x] All automatic Github Action checks pass - see actions
• [x] Author has added reviewers and removed PR draft status

Testing

Prerequisite: 1) Yubikey hardware, more details here 2) Generate Yubikey public key using following command pamu2fcfg -u ghaf -o pam://gui-vm 3) Make sure you have Yubikey public key added here (example)

Now plug the Yubikey hardware to Ghaf system.

To verify Yubikey device is detected in gui-vm [ghaf@gui-vm:~]$ lsusb | grep YubiKey Bus 003 Device 003: ID 1050:0407 Yubico YubiKey OTP+FIDO+CCID

To verify sudo command is working [ghaf@gui-vm:~]$ sudo su Please touch the device.

[root@gui-vm:/home/ghaf]#

To verify screen lock is working 1) Press Windows + l to lock the screen 2) Press Enter and tap on Yubikey device to unlock the system.

[leivos-unikie]

• Checked the operation of Yubikey as described
• ci-test-automation pass, performance ok
• all apps launch