rrix
/
complete-computing-environment
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
complete-computing-environment/pam_u2f.org

1.3 KiB
Raw Permalink Blame History

Unlock Computer With Yubikey

I can use pam-u2f to unlock my computer with a Yubikey that I keep on my belt.

- name: pam-u2f and configurator is installed
  dnf:
    name:
    - pam-u2f
    - pamu2fcfg
    state: installed
  tags:
  - security
  - pam
  - yubikey

pamu2fcfg is used to register the key on each host, I invoke it shell:pamu2fcfg > ~/.config/Yubico/u2f_keys & because my hostname doesn't change based on anything like DHCP or so. With that file in place, pam can be instructed to load pam_u2f and treat a success state from it as sufficient to unlock the system:

- name: install pam configuration
  lineinfile:
    insertbefore: "auth.*sufficient.*pam_unix.so"
    path: /etc/pam.d/system-auth
    state: present
    line: "auth sufficient pam_u2f.so cue"
    regexp: "auth sufficient pam_u2f.so.*"
  tags:
  - security
  - pam
  - yubikey