sudo yubikey-personalization-gui
Use:
- HMAC-SHA1
- Configuration slot 1
- Require user input (button press, optional)
- Yubikey unprotected (keep it that way)
- Click <Generate>
Set it to use challenge response (no password):
sudo su -
#ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
mkdir ~/.yubico
ykpamcfg -1 -v
mv .yubico/ /home/forksand/
chown -R forksand:forksand /home/forksand/.yubico/

# Install:
apt install libpam-yubico

vim /etc/pam.d/common-auth
# Set pam config to just have these lines:
auth    required        pam_yubico.so mode=challenge-response
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so