Enabling U2F authentication in PAM

PAM is the standard way of authentication for most *nix systems today.

U2F is a two-factor authentication standard implemented on YubiKeys. ^{(and others)}

Yubico ^{(the producers of YubiKey)} created a U2F module for PAM, and we're gonna use it. Most likely it's in the package db of your distro of choice.

In order to activate the module, you'll need to modify either /etc/pam.conf or a file in the /etc/pam.d/ directory.

The format is as follows

<interface> <control flag> <module name> <module arguments...>

Most likely your distro has a PAM config file in /etc/pam.d/ that's named something like common-auth, and in that file there should be a line that looks similar to

auth       required        pam_unix.so

and in order to activate u2f, we add a line like

auth       sufficient      pam_u2f.so        cue

after you write to the file, make sure you keep a tty open, just in case.

Then try to log in through a different tty. The result should be something like;

hostname login: username
Password:
Please touch the device.
$

If you don't want to be prompted to touch the device, remove the cue argument in the config file.