I always like how on my Framework 13 laptop I can just touch my fingerprint module instead of putting in my root password whenever I needed to run a sudo command. So I wondered if on my desktop I achieve the same results using my YubiKey 5c. After a quick search I found this post from someone who did exactly that. So here are the steps I did:

  • install the pam_u2f module which on Fedora looks like this: dnf install pam-u2f pamu2fcfg
  • generate a key for my user
mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
  • edit /etc/pam.d/sudo and add the following line
auth    sufficient    pam_u2f.so cue origin=pam://hostname appid=pam://hostname

And that’s it! Now whenever I do a sudo command if the YubiKey is plugged in I get a prompt to touch it and the command is executed.