forksand-it-manual/source/resources/apps/yubikey

sudo yubikey-personalization-gui Use:

• HMAC-SHA1
• Configuration slot 1
• Require user input (button press, optional)
• Yubikey unprotected (keep it that way)
• Click Set it to use challenge response (no password): sudo su - #ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible mkdir ~/.yubico ykpamcfg -1 -v mv .yubico/ /home/forksand/ chown -R forksand:forksand /home/forksand/.yubico/

Install:

apt install libpam-yubico

vim /etc/pam.d/common-auth

Set pam config to just have these lines:

auth required pam_yubico.so mode=challenge-response auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so