Update yubikey-login.md #1276
Update yubikey-login.md #1276
Conversation
Add instructions to use a central authfile to address config sprawl problem.
content/yubikey-login.md
Outdated
| @@ -86,6 +86,49 @@ There a a number of other options for PAM and ways to configure that to your lik | |||
| - /etc/pam.d/login | |||
| - /etc/pam.d/gdm-password | |||
|
|
|||
| ### Using a central authfile | |||
|
|
|||
| Modern builds of Debian have expanded the number of config files under `/etc/pam.d`. **Simply modifying the `/etc/pam.d/common-auth` file will not enable Yubikey login from the lock screen**. | |||
There was a problem hiding this comment.
Firstly, we shouldn't be referring to a build of Debian. You may want to refer to the Debian build of a particular package (where "Debian build" is the packaging format), or to a specific version of Pop!_OS/Ubuntu.
Does the second sentence mean the instructions above this section work for initial login but not for unlocking, or is it intended to mean they don't work at all? If it's the latter, it seems strange we'd only mention that the rest of the page doesn't work at this point-- why are the broken instructions still there? (Reading https://askubuntu.com/questions/1167691/passwordless-login-with-yubikey-5-nfc, it doesn't actually sound like common-auth shouldn't work, it just sounds more like the person who wrote the answer preferred to do it a different way.)
There was a problem hiding this comment.
From my experience of using the original documentation, I could use the yubikey in the terminal but not to unlock my workstation. If I clicked Logout/Lock I always had to type a password to get back in.
Updating common-auth feels like the bare minimum now with all the pam.d config files. This approach is kind of the opposite in that it puts the central authfile config option everywhere.
content/yubikey-login.md
Outdated
| @@ -86,6 +86,49 @@ There a a number of other options for PAM and ways to configure that to your lik | |||
| - /etc/pam.d/login | |||
| - /etc/pam.d/gdm-password | |||
|
|
|||
| ### Using a central authfile | |||
There was a problem hiding this comment.
This new method isn't any more "central" than the previous method. (In the Ask Ubuntu page you're referencing, the "non-central" alternative being referenced was configuration within the home directory, which is not what this article previously suggested.) I'd have the section title refer instead to using a Universal 2 Factor (U2F) mapping file.
There was a problem hiding this comment.
It's more more central in that the config you're using is defined in a central authfile (/common-u2f), so if you want to change auth from sufficient to required, it's one file to change before running the command again.
That said I don't mind being clear that it is more about using U2F mapping.
There was a problem hiding this comment.
The point of common-auth is that it's already central/common and included in other files (like login and gdm-password) with the @include common-auth line. The for loop you're adding just looks for everywhere common-auth is already included, and adds an additional include for the new common-u2f file you've created. Therefore, it should have exactly the same effect as if you'd added the file contents to common-auth instead of a new common-u2f file. Does that make sense?
There was a problem hiding this comment.
I do see your point now. After looking at the pam.d/login file I can see the duplicated effort clearly.
# Standard Un*x authentication.
@include common-u2f
@include common-auth
I'll fix this MR so that common-auth has the missing config for unlock.
Updating formatting and content based on Josh's feedback.
updated line for clarity
Added instructions to use a central authfile to address config sprawl problem. This was inspired by the answer in https://askubuntu.com/questions/1167691/passwordless-login-with-yubikey-5-nfc
It solves the issue where the lock screen will only accept password authentication.