From 0b8c0c99784173219fa03ba85abd1f45867ac11c Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Tue, 7 May 2019 10:37:20 -0600
Subject: [PATCH] yubikey setup

---
 source/resources/apps/yubikey/README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/source/resources/apps/yubikey/README.md b/source/resources/apps/yubikey/README.md
index 382b898..b6c9257 100644
--- a/source/resources/apps/yubikey/README.md
+++ b/source/resources/apps/yubikey/README.md
@@ -2,7 +2,7 @@ sudo yubikey-personalization-gui
 Use:
 - HMAC-SHA1
 - Configuration slot 1
-- Require user input (button press)
+- Require user input (button press, optional)
 - Yubikey unprotected (keep it that way)
 - Click <Generate>
 Set it to use challenge response (no password):
@@ -12,5 +12,15 @@ mkdir ~/.yubico
 ykpamcfg -1 -v
 mv .yubico/ /home/forksand/
 chown -R forksand:forksand /home/forksand/.yubico/
+
+# Install:
+apt install libpam-yubico
+
 vim /etc/pam.d/common-auth
+# Set pam config to just have these lines:
+auth    required        pam_yubico.so mode=challenge-response
+auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
+auth    requisite                       pam_deny.so
+auth    required                        pam_permit.so
+auth    optional                        pam_cap.so