sudo yubikey-personalization-gui Use: - HMAC-SHA1 - Configuration slot 1 - Require user input (button press, optional) - Yubikey unprotected (keep it that way) - Click Set it to use challenge response (no password): sudo su - #ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible mkdir ~/.yubico ykpamcfg -1 -v mv .yubico/ /home/forksand/ chown -R forksand:forksand /home/forksand/.yubico/ # Install: apt install libpam-yubico vim /etc/pam.d/common-auth # Set pam config to just have these lines: auth required pam_yubico.so mode=challenge-response auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so