==================================================
Using a Yubikey to authenticate to a Gentoo system
==================================================
:CreationDate: 2015-11-29 13:30:11
:Id: SW/yubikey-auth
:tags: - software
       - configs

Very rough:

* add `my overlay`_

* un-keyword the needed packages, for example by writing this to
  ``/etc/portage/package.accept_keywords/yubikey``::

    app-crypt/libu2f-host
    app-crypt/libu2f-server
    sys-auth/pam_u2f

* install |pam_u2f|_

  There's still a weird problem in that ebuild, it puts the library in
  the wrong directory. You may need to ``cp
  /lib/x86_64-linux-gnu/security/pam_u2f.so /lib64/security``

* add at the top of ``/etc/pam.d/system-login``::

    auth  required  pam_u2f.so

* run, as each user on your machine::

    mkdir -p ~/config/Yubico
    pamu2fcfg -u${USER} -opam://$(hostname) -ipam://$(hostname) \
      >> ~/config/Yubico/u2f_keys

* Done. Now you'll need to touch your Yubikey every time you login,
  after you type the username but before you type the password. See
  the |pam_u2f|_ documentation for further details.

.. note::

   By declaring that |pam_u2f| is "``required``", you're saying that
   the Yubikey is necessary *in addition to your password*. If you
   want to just use the Yubikey, write ``sufficient`` instead.

.. _`my overlay`: https://www.thenautilus.net/cgit/gentoo-overlay/
.. _`pam_u2f`: https://developers.yubico.com/pam-u2f/
.. |pam_u2f| replace:: ``pam_u2f``