YubiKey Bio on Fedora KDE
Setup fingerprint unlock for sudo and session unlock using a YubiKey Bio - Fido Edition for uBlue KDE Aurora
This article shows how I setup fingerprint unlock for sudo and session unlock using a YubiKey Bio - Fido Edition. Specifically I am using Universal Blues KDE variant Aurora where pam-u2f comes preinstalled.
I use my YubiKey Bio as an alternative login factor (passwordless), not as 2FA/MFA. This means that I can use the biometrics if I want, or if I don't have the key on me I can fallback to password. There is a yubico-pam module but that uses OTP instead of FIDO2 and it wasn't clear in that case if the YubiKey is using biometrics or a tap from any finger will do.
Generating Keys
First, if you haven't already, setup your pin and fingerprints using Yubico's guide. https://docs.yubico.com/software/yubikey/tools/authenticator/auth-guide/fingerprints.html
Now generate a key pair for pam to use with
pamu2fcfg -u$(whoami) | sudo tee -a /etc/u2f_mappings
You need need to touch the device with a configured fingerprint to complete the command. This will create the entry for your current user in the mappings file.
Biometrics for Sudo
To be able to use your fingerprint for sudo
commands you can add this line to /etc/pam.d/system-auth
.
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
/etc/pam.d/system-auth
cue
will make the terminal printPlease touch the device.
so you know when to press (The light will still flash on the YubiKey withoutcue
).- If you want to require the device pin as well as biometrics you can append
pinverification=1
- There is also
userverification=1
, but in my tests this didn't seem to do anything whether it was0
or1
. In both cases biometrics were required.
Order does matter. I put u2f after the auth
lines for pam_env.so
and pam_faildelay.so
, but before pam_fprintd.so
(built-in fingerprint), pam_unix.so
(password) , and pam_deny.so
.
By putting it where I have the Security Key becomes the primary method of auth and will be prompted first when using sudo
.
If you don't want to use the Security Key you can either remove the Key prior to running sudo, or let the u2f auth timeout (about 30 seconds for me).
Biometrics for KDE Lock Screen
According to the ArchWiki and these GitHub issues SDDM does not support pam_u2f
. Because of this I still need to use my password to login when the computer first boots. After I have logged in once I can use my fingerprint on the KDE lock screen which is what I setup here.
Similar to setting up sudo
we need to add our u2f line to /etc/pam.d/fingerprint-auth
. The ArchWiki entry also recommends commenting out the pam_fprintd.so line so I did that as well.
auth required pam_env.so
#auth [success=done default=bad] pam_fprintd.so
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings
auth required pam_deny.so
Now if you lock the KDE session you should be able to user password or YubiKey biometrics to unlock.