Yubikey Authentication Not Enforced

I’ve successfully set up Yubikey authentication as described here: YubiKey | Qubes OS

I’ve followed the instructions to the T, including editing the /etc/pam.d/yubikey to read as follows:

auth [success=done] pam_exec.so expose_authtok quiet /usr/bin/yk-auth

I am using KDE so I also added the following to the top of /etc/pam.d/sddm, /etc/pam.d/kscreensaver, and /etc/pam.d/kde:

auth     include     yubikey

When Yubikey device is plugged in, it will absolutely use it. When I test logging in without it plugged in, either from a fresh boot or as a session unlock, it will also absolutely not use it. In other words, it’s failing open not closed.

Is there something I could have missed in my set up? Thanks.

Welp. I didn’t follow the instructions to the T like I thought. I missed the following:

Paste your AESKEY into /etc/qubes/yk-keys/yk-secret-key.hex in dom0.

Of course, doing that and I bricked my laptop. I’m being dramatic. But I couldn’t login and had to reinstall. I’ve tried multiple times and each time can’t log back in.

There is one small difference between the instructions and the lived experience and that is the sys-usb on my computer uses debian-11-dvm for its template. The following instructions just don’t produce results:

Install YubiKey software in the template on which your USB VM is based. Without this software the challenge-response mechanism is not working.

Yea. Can’t do that.

So the instructions are deficient. There are details that are missing or are assumed without being explicitly so.

Just some empathy, not real info. Years ago I had troubles with Yubikey. It helps if you provide the model and you are specific about what you are trying to do. I used the sys-usb and solved some of the problems but eventualy I had to go with an independent HVM in a OS that had all the spcecific issues worked out. Again this was more complicated than u2f.

1 Like

Thanks for the reply! I was starting to thinking I was screaming into the void. I purchased the following key: NIST Validated USB-A NFC YubiKey 5 FIPS Security Key | Yubico

I am simply trying to get 2-factor authentication enabled on my laptop so that I need to have a Yubikey present to sign in. My apologies if that wasn’t clear in my post. Just trying the basics here.

After I bricked my laptop, I tried following the directions over and over, trying different things like installing the Yubikey software in the DVM template (didn’t work as, I believe, designed). Or installing the Yubikey software in the debian-11 template hoping that the debian-11-dvm template would inherit it.

Not so much. I looked into this documentation: Disposable customization | Qubes OS and decided that was too much of a leap to try to take without guidance from someone who has done this successfully.

Hopefully some such person will see this post and respond! Thank you.

I had that intercepted before!