[NOTE: The typical warnings apply here. You can seriously lock yourself out of your system if you perform any of these steps incorrectly.]
Alright, so we’ve got the disk encryption set-up and your system automatically locks when you remove the YubiKey from the system. All that’s left is to force the login to require the YubiKey be in place (to append to the authentication step) and we have a somewhat locked-down system.
Assuming you left Slot 2 open for this, then you’ll do pretty much the same throughout this post; otherwise, change the slot numbers accordingly or you’ll nuke the key for the disk encryption and won’t starting over be just the bestest fun in the history of ever!?
O.k., so first things, first, we have to set-up the auth:
ykman otp chalresp -g 2
Now, we need to associate this with your user account.
Now, let’s first configure sudo to require the YubiKey. We’ll be using our favourite text editor for this, so the same steps to exit and save apply.
sudo nano /etc/pam.d/sudo
Append the red line to your config file.
session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 auth required pam_yubico.so mode=challenge-response
Ctrl + X, Y to accept. DO NOT CLOSE THE WINDOW.
Before we go any futher we need to test your new combination. The reason why we don’t want to close the window is so that you can revert the config, if it doesn’t work. 🙂 Since you just elevated to sudo, you’ll still have it for ‘x’ time, which should be sufficient for the rest of this post.
So, pull the YubiKey out of the USB interface and run the following in your terminal:
sudo echo test
Even though you’re using the correct password, the authentication should fail. We want that to happen because the YubiKey’s not present.
Now, enter your YubiKey, open a new Terminal window, and run the same command again (be sure not to close the old one, just yet).
sudo echo test
With luck, this authentication attempt should be successful. If it isn’t: Do not pass go, do not collect $200. Revert the settings you made to the sudo file and start from scratch, again.
If the authentication was successful, then we just need to tell the system to require the YubiKey on login.
sudo nano /etc/pam.d/gdm-password
Add the line in red to your config (note the location: @include common-auth).
@include common-auth auth optional pam_gnome_keyring.so auth required pam_yubico.so mode=challenge-response
Close, accepting the changes on the way out.
…and that’s it. Give your system the good old reboot (sudo init 6, if you’re feeling frosty) and you should now, forever and always, be required to have your YubiKey inserted to login to your system or do anything that requires sudo.
You know, like a civilised human being.
Thanks for coming to this NERDTalk™ and happy Ubuntuing!