Yubikey multifactor login inconsistent behavior


I’m new to the community here. I recently applied this article to my system configuration.

YubiKey | Qubes OS

After completing the first half of the configuration and doing some testing, it appears that while they key is working for the services that i’ve enabled it for, not in the anticipated fashion.

  1. The HEX file for hashed passwords does not appear to work at all.
    I tried hashing a few different versions of a password and turned it on for login and su. Tried to login or su a couple of times and had no luck.

  2. I tried the plain text password for these same two services and was able to login.

  3. Upon further experimentation, I just typed an erroneous password hit enter and it prompted me for my key press, at which point I did and it let me in.

I’ve since tested this 3rd scenario further and it appears that the password really does not matter based on what is in the /etc/qubes/yk-keys/yk-login-pass file.

Am I missing something?

I’ve walked through the steps again to see if I’ve missed anything.

  1. Configure key with hash, button press, and slot
  2. Install ykpers on dom0
  3. Configure /etc/qubes/yk-keys/{key hash, password (and or hash)}
  4. Configure /etc/pam.d/{services…}
  5. /etc/qubes/yk-keys/{slot & host} files are default
  6. Test login {arbitrary vs valid password + enter + button press}

Another item that didn’t work as expected was I tried updating my /etc/pam.d/system-auth file and adding the “auth include yubikey” block to it direct thinking that it would inherit across all services that included system-auth, but it didn’t make a difference, I had to add them to the individual services.