I've bought Yubikeys to manage several things. They permit 2 different kinds of authentication per key. The authentication methods are:
Yubico OTP
OATH-HOTP
Static Password
Challenge-Response
The goal was to authenticate through my Yubikey without a password, but still have the possibility to connect with my user password if I lose my key. Another requirement is to lock my computer if I remove the key.
Installation
To install, we'll use packages. One for PAM and the GUI for configuration:
## /etc/pam.d/common-auth - authentication settings common to all services## This file is included from other service-specific PAM config files,# and should contain a list of the authentication modules that define# the central authentication scheme for use on the system# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the# traditional Unix authentication mechanisms.## As of pam 1.0.1-6, this file is managed by pam-auth-update by default.# To take advantage of this, it is recommended that you configure any# local modules either before or after the default block, and use# pam-auth-update to manage selection of other modules. See# pam-auth-update(8) for details.# here are the per-package modules (the "Primary" block)authsufficientpam_yubico.somode=challenge-response
auth[success=2default=ignore]pam_unix.sonullok_secure
auth[success=1default=ignore]pam_winbind.sokrb5_authkrb5_ccache_type=FILEcached_logintry_first_pass
# here's the fallback if no module succeedsauthrequisitepam_deny.so
# prime the stack with a positive return value if there isn't one already;# this avoids us returning an error just because nothing sets a success code# since the modules above will each just jump aroundauthrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)authoptionalpam_cap.so
# end of pam-auth-update config
ACTION!="add|change",GOTO="yubico_end"# Udev rules for letting the console user access the Yubikey USB# device node, needed for challenge/response to work correctly.# Yubico Yubikey IIATTRS{idVendor}=="1050",ATTRS{idProduct}=="0010|0110|0111|114|116",\ENV{ID_SECURITY_TOKEN}="1"LABEL="yubico_end"# Launch on removeACTION=="remove",SUBSYSTEM=="usb",ENV{ID_VENDOR_ID}=="1050",ENV{ID_MODEL_ID}=="0010",RUN+="/path/yubi_remove_script.sh"# Launch on insert# ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/path/yubi_add_script.sh"
You can test if udev sees your key correctly with this command (try to insert and remove it):
## /etc/pam.d/common-auth - authentication settings common to all services## This file is included from other service-specific PAM config files,# and should contain a list of the authentication modules that define# the central authentication scheme for use on the system# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the# traditional Unix authentication mechanisms.## As of pam 1.0.1-6, this file is managed by pam-auth-update by default.# To take advantage of this, it is recommended that you configure any# local modules either before or after the default block, and use# pam-auth-update to manage selection of other modules. See# pam-auth-update(8) for details.# here are the per-package modules (the "Primary" block)authsufficientpam_yubico.sodebugmode=challenge-response
auth[success=2default=ignore]pam_unix.sonullok_secure
auth[success=1default=ignore]pam_winbind.sokrb5_authkrb5_ccache_type=FILEcached_logintry_first_pass
# here's the fallback if no module succeedsauthrequisitepam_deny.so
# prime the stack with a positive return value if there isn't one already;# this avoids us returning an error just because nothing sets a success code# since the modules above will each just jump aroundauthrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)authoptionalpam_cap.so
# end of pam-auth-update config