I’ve obtained a Yubikey 5, and I’ve successfully configured it to login into my Debian GNU/Linux 13 trixie, following this guide:
https://support.yubico.com/s/article/Ubuntu-Linux-login-guide-U2F
(Note that I successfully achieved both the YubiKey as second-factor; and I’ve also successfully achieved the YubiKey as sufficient for login – which is quite useful when I’m in front of an audience and I cannot type a password in a secure way.)
In short, since my login manager in KDE is sddm, I’ve successfully configured sddm to login password-less, when I touch the YubiKey 5 capacitive sensor. Here how:
I’ve edited /etc/pam.d/sddm, adding a line about sufficient pam_u2f line, before common-auth:
auth sufficient pam_u2f.so nouserok cue [cue_prompt=Tap the Yubikey]
@include common-auth
It works! I tap the YubiKey 5 and I login.
BUT.
When I lock and unlock the screen, the YubiKey does not work at all.
How to unlock the screen with YubiKey 5? Is there anything missing in my sddm?
—-
Things I tried:
I’ve activated the PAM debug mode and it seems the PAM module for sddm is even not called when I try to unlock the screen. I’ve some issues in discovering what’s the difference between doing a login, and unlocking the screen. The solution seems not mentioned in these documents at the time of writing.
https://www.yubico.com/products/yubikey-5-overview/
