teraflops

1) Packages

sudo pacman -S pam-u2f libfido2 yubikey-manager

2) Register YubiKey

sudo touch /etc/u2f_keys

Insert YubiKey and press the “button” when requested:

pamu2fcfg -u "$USER" | sudo tee -a /etc/u2f_keys

Repeat last step with second yubikey

3) Configuring PAM sudo

Edit /etc/pam.d/sudo. Youl'll see something like:

auth      include   system-auth
account   include   system-auth
session   include   system-auth

A) Require YubiKey and password (strong 2FA) add over auth include system-auth:

auth      required  pam_u2f.so authfile=/etc/u2f_keys cue

so it ends like this:

auth      required  pam_u2f.so authfile=/etc/u2f_keys cue
auth      include   system-auth

required: you must touch the key plus put the password. cue: shows the message “Touch your security key”.

B) YubiKey or password (if you touch the key, it doen't ask for a pass) change the line auth include system-auth for this snippet:

auth      sufficient pam_u2f.so authfile=/etc/u2f_keys cue
auth      include    system-auth

If the key is valid, sudo runs without asking for a password. If there is no key, it falls back to asking for your password as usual. Tip: if you want it to always ask you (and not “remember” the session), in sudoers you can set:

sudo visudo
Defaults timestamp_timeout=0

4) Testing

Open a new terminal instance and execute:

sudo -K     # deletes sudo “ticket”
sudo true   # it should prompt you to touch the YubiKey (and maybe the password, depending on your option).