YubiKey as 2FA for Qubes Login

User Support General
2

Continued guide below (apologies, as the original post was broken):

 7. Set password associated with the Yubikey (section 5 of the Qubes-OS.org guide)
    (a) NOTE: This is not in the guide on the medium.com website
    (b) Open a command shell in dom0
    (c) Type “sudo nano /etc/qubes/yk-keys/login-pass”
    (d) Enter your password in plain text into this file
    (e) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
 8. Enable YubiKey auth on the appropriate services
    (a) sudo nano /etc/pam.d/xscreensaver
    (b) Add the line “auth	include		yubikey” at the top of the file
    (c) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
    (d) sudo nano /etc/pam.d/lightdm
    (e) Add the line “auth	include		yubikey” at the top of the file
    (f) Press CTRL+O then ENTER to write out the changes and CTRL+X to exit
 9. Ensure the correct USB AppVM is being referenced 
    (a) This should be sys-usb unless you changed it to something else
    (b) In a dom0 terminal, type “sudo nano /etc/qubes/yk-keys/vm” and press enter
    (c) Ensure the VM referenced in that file is the one you are using for USB (aka sys-usb)
    (d) If it is not, change it and save the file (CTRL-O, ENTER) then exit (CTRL-X)

TESTING
1. Log Out
2. Plug your Yubikey into a USB slot
3. Enter the password you associated with your Yubikey (in the login-pass file) and press ENTER
4. The Yubikey should be flashing – press the button
5. You should be logged in

ENFORCING YUBIKEY LOGIN
1. Open a dom0 terminal
2. Edit the yubikey file in the pam.d directory
4. Remove the default=ignore from the file
5. Press CTRL+O then ENTER to write out the changes, and CTRL+X to exit
6. Log out of Qubes and try logging back in. You should not be able to do so without the YubiKey.
7. Reboot Qubes.
8. Verify you are able to log in with the YubiKey (I have as yet been unable to get this to function)

I apologize for not including paths and having to adjust the name of files, As the forum software would not allow me to post this thread as originally written, and displayed an error message that “new users may only add 2 URLs”.