Yubikey PAM

Configure yubikey for PAM authentication

Install pam-u2f. And then create a file on your home folder:

mkdir ~/.config/Yubico
pamu2fcfg -o pam://$HOSTNAME -i pam://$HOSTNAME > ~/.config/Yubico/u2f_keys

Then for sudo, edit /etc/pam.d/sudo. Add there on the top the pam_u2f module.

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_u2f.so cue
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
...

You might also want to edit the /etc/pam.d/polkit-1 in the same way.

Finally, add the following to the top your /etc/pam.d/system-auth file. And replace hostname by your real hostname. If you also followed the fingerprint steps; write this line below the try_first_pass one.

auth            sufficient      pam_u2f.so cue