==================================================
Using a Yubikey to authenticate to a Gentoo system
==================================================
:CreationDate: 2015-11-29 13:30:11
:Id: SW/yubikey-auth
:tags: - software
- configs
Very rough:
* add `my overlay`_
* un-keyword the needed packages, for example by writing this to
``/etc/portage/package.accept_keywords/yubikey``::
app-crypt/libu2f-host
app-crypt/libu2f-server
sys-auth/pam_u2f
* install |pam_u2f|_
There's still a weird problem in that ebuild, it puts the library in
the wrong directory. You may need to ``cp
/lib/x86_64-linux-gnu/security/pam_u2f.so /lib64/security``
* add at the top of ``/etc/pam.d/system-login``::
auth required pam_u2f.so
* run, as each user on your machine::
mkdir -p ~/config/Yubico
pamu2fcfg -u${USER} -opam://$(hostname) -ipam://$(hostname) \
>> ~/config/Yubico/u2f_keys
* Done. Now you'll need to touch your Yubikey every time you login,
after you type the username but before you type the password. See
the |pam_u2f|_ documentation for further details.
.. note::
By declaring that |pam_u2f| is "``required``", you're saying that
the Yubikey is necessary *in addition to your password*. If you
want to just use the Yubikey, write ``sufficient`` instead.
.. _`my overlay`: https://www.thenautilus.net/cgit/gentoo-overlay/
.. _`pam_u2f`: https://developers.yubico.com/pam-u2f/
.. |pam_u2f| replace:: ``pam_u2f``
