Very rough:
- add my overlay
- un-keyword the needed packages, for example by writing this to
/etc/portage/package.accept_keywords/yubikey:
app-crypt/libu2f-host app-crypt/libu2f-server sys-auth/pam_u2f
-
install pam_u2f
There's still a weird problem in that ebuild, it puts the library in the wrong directory. You may need to cp /lib/x86_64-linux-gnu/security/pam_u2f.so /lib64/security
- add at the top of /etc/pam.d/system-login:
auth required pam_u2f.so
- run, as each user on your machine:
mkdir -p ~/config/Yubico pamu2fcfg -u${USER} -opam://$(hostname) -ipam://$(hostname) \ >> ~/config/Yubico/u2f_keys
- Done. Now you'll need to touch your Yubikey every time you login, after you type the username but before you type the password. See the pam_u2f documentation for further details.
Note
By declaring that pam_u2f is "required", you're saying that the Yubikey is necessary in addition to your password. If you want to just use the Yubikey, write sufficient instead.