On Wed, Jul 13, 2022 at 05:00:10PM +0200, Max Gautier wrote: Hi everyone.

I recently setup pam authenication using some Yubikeys and was wondering how to integrate to all pam-based applications (screenlocker, polkit, sudo, login, etc) without forcing its use for all user. The wiki describe how to setup yubikey or fprintd with sufficient, but not a general way.

After reading `man pam.d`, this is what I would go for:

in /etc/pam.d/system-auth:

#%PAM-1.0

auth required pam_faillock.so preauth # Optionally use requisite above if you do not want to prompt for the password # on locked accounts. auth [success=4 default=ignore] pam_fprintd.so cue # addition auth [success=3 default=ignore] pam_u2f.so # addition -auth [success=2 default=ignore] pam_systemd_home.so auth [success=1 default=bad] pam_unix.so try_first_pass nullok auth [default=die] pam_faillock.so authfail auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc # If you drop the above call to pam_faillock.so the lock will be done also # on non-consecutive authentication failures.

... (skipped rest of the file)

If I understand correctly, the success=n make PAM skip the n following modules, so this would allow a user not having any enrolled fingerprint or configured yubikeys to authenticate normally with their password. And user with those will be able to use them to authenticate.

Is this the correct approach ?

Thanks !