1. wk

    While I appreciate the nuts and bolts of establishing such authentication, it would help me dramatically to grasp the details if there were a higher level description of what is going on.

  2. AquaL1te

    When you do this I assume you also have to lock down the TTY’s, otherwise you can still circumvent the 2FA if you have obtained a user’s password.

    • If you wish to add the challenge-response to the virtual console logins, add the following line to /etc/pam.d/login immediately after #%PAM-1.0 :
      auth required pam_yubico.so mode=challenge-response

      The top of the /etc/pam.d/login file should now look like:

      auth required pam_yubico.so mode=challenge-response
      auth substack system-auth
      auth include postlogin
      account required pam_nologin.so
      account include system-auth

      • AquaL1te

        I prefer to use U2F for this, then you don’t have to spend one of your 2 slots for this. I disabled the TTY’s as a whole.

  3. Blake


    Great write up! I think you may have meant FIDO2 in reference to the Yubikey 5 in the hardware token keys paragraph.

    Thanks again for the article ????

  4. Edgar Hoch

    “If someone gains access to your password, they still can’t login without your physical hardware Yubikey. Congratulations! You’ve now dramatically increased the security of your workstation login.”

    I think this is not true. There are still other access options that are not protected by Yubikey. ssh, text console for example.

    • Hi Edgar, you are correct. I should have explained that additional items can be further secured or even disabled; like the virtual consoles and ssh. If readers are interested, I can discuss with the editors and pitch a part 2 of the article.

  5. My favorite “hardware device” is a sheet of paper with one time passwords as a second factor. Is there a Fedora how to on setting that up? … both printing the sheet and configuring pam to consult the list and check them off when used.

    • cmurf

      Or even Grid Multifactor, and then in effect it’s an unlimited list.

  6. In the Updating and installing section:

    $ sudo dnf upgrade
    $ sudo dnf install ykclient* ykpers* pam_yubico*
    $ cd

    What is with the last “cd” command? Where was it supposed to change directory, or it was unnecessary?

    • Michael


      without a parameter set your current working directory to

    • james miller

      The opensource solo key was funded to the tune of $123 thousand in 20 minutes… I suspect we will see it soon… lol.
      However, one still has to purchase a key. I have been thinking about writing a python program to interact with dbus to run when a usb key is plugged in that retrieves and displays your generated password when plugged in, which you can then type directly or copy and paste (if secure). That would allow any usb key to be used, although not quite as securely. The app could then generate and store passwords that are complex hex or hash type keys that are more secure than standard passwords and that can be renewed automatically at time intervals if necessary. This way the user wouldn’t have to rely on memory.
      It might require that the user plugin their key each time, and there would have to be a udev rule installed on the computer, or however windows manages things (a batch file?), but it might complement a two factor authentication process that uses solo or yubikey.

  7. Great to see that the project is still active!

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions