# Insert key – was flashing green at first, flashing orange after software installed
\n# As root
\n# Install required packages
\nsudo dnf install pam-u2f fido2-tools yubikey-manager pamu2fcfg<\/p>\n
# As the user
\n# See note below re: setting pin
\n# The FIDO2 PIN must be at least 4 characters, and supports any type of alphanumeric characters. Some YubiKeys can be configured to require a longer PIN. (https:\/\/docs.yubico.com\/software\/yubikey\/tools\/ykman\/FIDO_Commands.html)
\nykman fido access change-pin<\/p>\n
# List current fingerprints – should be none, since no user is set up, will prompt for your pin
\nykman fido fingerprints list
\n# Add your fingerprint – RI stands for “right index” and is essentially a display name for the fingerprint (https:\/\/docs.yubico.com\/software\/yubikey\/tools\/ykman\/FIDO_Commands.html#ykman-fido-fingerprints-add-options-name)
\n# Green light is fast flashing & prompted to touch sensor. Not a slide, touch and remove finger. It prompts with how many more scans are needed & reports when the print is not read (capture failed, recenter your finger and try again)
\n# Key stopped flashing
\nykman fido fingerprints add RI<\/p>\n
<\/p>\n
# Set up pam to use key\/print as auth
\nmkdir ~\/.config\/Yubico
\nchmod 700 ~\/.config\/Yubico<\/p>\n
# Run command, when key flashes green touch it with the registered finger
\npamu2fcfg –username “$USER” –origin “pam:\/\/$(hostname)” >> ~\/.config\/Yubico\/u2f_keys
\nchmod 600 ~\/.config\/Yubico\/u2f_keys<\/p>\n
<\/p>\n
# Back as root
\nauthselect current<\/p>\n
# Results:
\nProfile ID: local<\/p>\n
with features:
\nwith-silent-lasting
\nwith-mdns4
\nwith-fingerprint<\/p>\n
# If nothing is selected, run the following and use “-b sssd” instead of “-b local” below.
\n# authselect select sssd<\/p>\n
authselect create-profile yubikey -b local
\nauthselect select custom\/yubikey with-silent-lastlog with-mdns4 with-fingerprint<\/p>\n
# Edit two files
\n\/etc\/authselect\/custom\/yubikey\/system-auth
\n\/etc\/authselect\/custom\/yubikey\/password-auth<\/p>\n
# Add this line near the top of the auth section, before the usual pam_unix.so \/ pam_sss.so lines:
\nauth sufficient pam_u2f.so authfile=.config\/Yubico\/u2f_keys cue userverification=1<\/p>\n
authselect apply-changes<\/p>\n
# Test before rebooting and losing the currently logged on session<\/p>\n
ctrl-al`-f3 and log into the alt console<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
Note: You may be prompted for the FIDO2 PIN in cases like:
\nYou haven\u2019t enrolled fingerprints (or user verification isn\u2019t available), and the system\/app requires verification.
\nToo many failed fingerprint attempts and the key requires a PIN to re-enable verification.
\nCertain management actions (adding\/removing fingerprints, resetting FIDO2, etc.).<\/p>\n
<\/p>\n
<\/p>\n
# If not working, update the custom system-auth and password-auth to debug output
\nauth sufficient pam_u2f.so authfile=%h\/.config\/Yubico\/u2f_keys cue userverification=1 debug debug_file=\/var\/log\/u2f.log<\/p>\n
# Initialize file, otherwise debug output goes to screen
\ntouch \/var\/log\/u2f.log<\/p>\n
On GUI logon, you have to hit enter (or the arrow) like you are logging in with a password (but you don’t have to type the password) and touch the thing when it flashes green<\/p>\n
If you register new fingerprints on the key, you do not need to regenerate your keys file
\nKDEWallet will prompt to store every new fingerprint you use.<\/p>\n","protected":false},"excerpt":{"rendered":"
# Insert key – was flashing green at first, flashing orange after software installed # As root # Install required packages sudo dnf install pam-u2f fido2-tools yubikey-manager pamu2fcfg # As the user # See note below re: setting pin # The FIDO2 PIN must be at least 4 characters, and supports any type of alphanumeric …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[2201,294,2202],"class_list":["post-12297","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-fido2","tag-linux","tag-yubikey"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12297"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12297\/revisions"}],"predecessor-version":[{"id":12298,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12297\/revisions\/12298"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}