YubiKey Bio on Fedora KDE

This article shows how I setup fingerprint unlock for sudo and session unlock using a YubiKey Bio - Fido Edition. Specifically I am using Universal Blues KDE variant Aurora where pam-u2f comes preinstalled.

I use my YubiKey Bio as an alternative login factor (passwordless), not as 2FA/MFA. This means that I can use the biometrics if I want, or if I don't have the key on me I can fallback to password. There is a yubico-pam module but that uses OTP instead of FIDO2 and it wasn't clear in that case if the YubiKey is using biometrics or a tap from any finger will do.

Generating Keys

First, if you haven't already, setup your pin and fingerprints using Yubico's guide. https://docs.yubico.com/software/yubikey/tools/authenticator/auth-guide/fingerprints.html

Now generate a key pair for pam to use with

pamu2fcfg -u$(whoami) | sudo tee -a /etc/u2f_mappings

You need need to touch the device with a configured fingerprint to complete the command. This will create the entry for your current user in the mappings file.

Biometrics for Sudo

To be able to use your fingerprint for sudo commands you can add this line to /etc/pam.d/system-auth.

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue 

• cue will make the terminal print Please touch the device. so you know when to press (The light will still flash on the YubiKey without cue).
• If you want to require the device pin as well as biometrics you can append pinverification=1
• There is also userverification=1, but in my tests this didn't seem to do anything whether it was 0 or 1. In both cases biometrics were required.

Order does matter. I put u2f after the auth lines for pam_env.so and pam_faildelay.so, but before pam_fprintd.so (built-in fingerprint), pam_unix.so (password) , and pam_deny.so.

By putting it where I have the Security Key becomes the primary method of auth and will be prompted first when using sudo.

If you don't want to use the Security Key you can either remove the Key prior to running sudo, or let the u2f auth timeout (about 30 seconds for me).

Biometrics for KDE Lock Screen

According to the ArchWiki and these GitHub issues SDDM does not support pam_u2f. Because of this I still need to use my password to login when the computer first boots. After I have logged in once I can use my fingerprint on the KDE lock screen which is what I setup here.

Similar to setting up sudo we need to add our u2f line to /etc/pam.d/fingerprint-auth . The ArchWiki entry also recommends commenting out the pam_fprintd.so line so I did that as well.

auth required pam_env.so
#auth [success=done default=bad] pam_fprintd.so
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings
auth required pam_deny.so

Now if you lock the KDE session you should be able to user password or YubiKey biometrics to unlock.