1. YubiKey Full Disk Encryption Guide
  2. YFDE Guides
  3. YKFDE Guide for Arch Linux
  4. Enable YubiKey Login

Enable YubiKey Login

Alright, you have already setup full disk encryption with YubiKey but what good is this if anyone can log in without YubiKey? This chapter describes how to use the YubiKey for authentication inclusive sudo.

Have you already created a new user? Don't use root user here.

Challenge response authentication setup

You can read more about that in Local Authentication Using Challenge Response. Let's install the needed package yubico-pam:

sudo pacman -S yubico-pam

Next step is to set the current user to require the YubiKey for logon with the following commands:

You have to do this for each YubiKey due initial challenge. Remember to touch the device if necessary.

mkdir $HOME/.yubico
ykpamcfg -2 -v

It is generally a good idea to move the challenge file in a system-wide path that is only read- and writable by root.

It is important that the file is named with the name of the user that is going to be authenticated by this YubiKey.

sudo mkdir /var/yubico
sudo chown root.root /var/yubico
sudo chmod 700 /var/yubico

sudo mv ~/.yubico/challenge-123456 /var/yubico/[username]-123456
sudo chown root.root /var/yubico/[username]-123456
sudo chmod 600 /var/yubico/[username]-123456

Activation

Let's active the YubiKey for logon. For this open the file with vi /etc/pam.d/system-auth and add the following line after the pam_unix.so line.

Please login to another tty in case of something goes wrong so you can deactivate it. Don't forget to become root.

auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

The complete file should look something like this.

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      required  pam_yubico.so   mode=challenge-response chalresp_path=/var/yubico
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

Test it

Arch Linux loads the PAM config files on every login. So simply switch to another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the YubiKey button. Good luck!

Congratulations! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the following goals which is really awesome!

  • YubiKey encrypted root (/) and home (/home) folder on separated partitions
  • Encrypted /boot partition
  • UEFI Secure boot (self signed boot loader)
  • YubiKey authentication for user login

If you have any suggestions don't hesitate to create an issue to improve this guide. Also spread the word about this guide so more people can secure their system.

You should now check the security chapter to improve security further.