teraflops

Request yubikey when using sudo

August 30, 2025

1) Packages

sudo pacman -S pam-u2f libfido2 yubikey-manager

2) Register YubiKey

sudo touch /etc/u2f_keys

Insert YubiKey and press the “button” when requested:

pamu2fcfg -u "$USER" | sudo tee -a /etc/u2f_keys

Repeat last step with second yubikey

3) Configuring PAM sudo

Edit /etc/pam.d/sudo. Youl'll see something like:

auth      include   system-auth
account   include   system-auth
session   include   system-auth

A) Require YubiKey and password (strong 2FA) add over auth include system-auth:

auth      required  pam_u2f.so authfile=/etc/u2f_keys cue

so it ends like this:

auth      required  pam_u2f.so authfile=/etc/u2f_keys cue
auth      include   system-auth

required: you must touch the key plus put the password. cue: shows the message “Touch your security key”.

B) YubiKey or password (if you touch the key, it doen't ask for a pass) change the line auth include system-auth for this snippet:

auth      sufficient pam_u2f.so authfile=/etc/u2f_keys cue
auth      include    system-auth

If the key is valid, sudo runs without asking for a password. If there is no key, it falls back to asking for your password as usual. Tip: if you want it to always ask you (and not “remember” the session), in sudoers you can set:

sudo visudo
Defaults timestamp_timeout=0

4) Testing

Open a new terminal instance and execute:

sudo -K     # deletes sudo “ticket”
sudo true   # it should prompt you to touch the YubiKey (and maybe the password, depending on your option).

August 30, 2025

change refresh rate from 120hz to 60hz in battery mode and revert back

udev rules

#/etc/udev/rules.d/90-hyprland-onbattery.rules
SUBSYSTEM=="power_supply", KERNEL=="ACAD", ACTION=="change", ATTR{online}=="0", RUN+="/bin/runuser -u teraflops /usr/local/bin/hypr-monitor-switch.sh disconnected"

#/etc/udev/rules.d/91-hyprland-onpower.rules
SUBSYSTEM=="power_supply", KERNEL=="ACAD", ACTION=="change", ATTR{online}=="1", RUN+="/bin/runuser -u teraflops /usr/local/bin/hypr-monitor-switch.sh connected"

#!/bin/bash
# /usr/local/bin/hypr-monitor-switch.sh
read -r signature < /tmp/hyprland_instance_signature
export HYPRLAND_INSTANCE_SIGNATURE="$signature"
export XDG_RUNTIME_DIR="/run/user/1000"
export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/1000/bus"
LOCKFILE="/tmp/hypr-monitor-switch.lock"

exec 200>$LOCKFILE
flock -n 200 || exit 1

if [[ "$1" == "disconnected" ]]; then
    hyprctl keyword monitor "eDP-1,2880x1800@60,0x0,1.5"
    echo "Set to 60Hz" >> /tmp/udev-hypr-monitor.log
elif [[ "$1" == "connected" ]]; then
    hyprctl keyword monitor "eDP-1,2880x1800@120,0x0,1.5,vrr,1,bitdepth,10"
    echo "Set to 120Hz" >> /tmp/udev-hypr-monitor.log
fi

you have to export the signature of the hyprland instance to the /tmp/hyprlandinstancesignature file.

# ~/.config/hypr/conf/autostart.conf
exec-once = echo $HYPRLAND_INSTANCE_SIGNATURE > /tmp/hyprland_instance_signature