How to enable YubiKey login to gnome?

So far, I have these lines in configuration.nix

security.pam.yubico.enable = true ; = true ;
security.pam.yubico.control = “sufficient” ;
services.pcscd.enable = true;

And I have added the following packages:

I don’t know if all the packages that I installed are necessary.

I need the proper procedures to add the required packages and define everything properly to enable Yubikey login to gnome. Somebody please help ?


This is helpful:

But you really only need this option, in addition to creating the “Yubico/u2f_keys” file at the right location.

option docs: security.pam.u2f.enable

This is how I use it:

(Note, this lets me login to cosmic-greeter, unlock cosmic-greeter, unlock swaylock, etc, etc)


I am following the wiki to create the u2f_keys file. :

  1. Connect your Yubikey

  2. Create an authorization mapping file for your user. The authorization mapping file is like ~/.ssh/known_hosts but for Yubikeys.

  3. nix-shell -p pam_u2f

  4. mkdir -p ~/.config/Yubico

  5. pamu2fcfg > ~/.config/Yubico/u2f_keys

  6. add another yubikey (optional): pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

But upon running pamu2cfg it is asking me for a PIN !
Enter PIN for /dev/hidraw3:
I keyed in my FIDO2 PIN and that is not correct.
Google Gemini AI says it is then probably the PIV pin. But I have only setup a Google Advanced Protection PIN, which is a FIDO2 pin. So I used Yubikey Manager to reset the PIV. And then supplied that new PIV pin and PUV pin and both didn’t work.

Did you encounter this ? Or did you use a different method to generate this u2f_keys file ?


OK Everyone,

Here is the final configuration needed:

services.pcscd.enable = true;
security.pam.yubico = {
enable = true;

debug = true;

control = “required” ;
mode = “challenge-response”;

challenge response need to write configuration to yubikey with yubikey personalization tool, installed below

then a "challenge* file is written to ~/.yubico with the command “ykpamcfg -2 -v”

id generated by : nix-shell --command ‘ykinfo -s’ -p yubikey-personalization

id = [ “12345678” ];

environment.systemPackages = with pkgs; [



I think the module pam_u2f may not be required,

I followed Yubikey - NixOS Wiki, and used the “yubico-pam” section.
The 2nd step “ykman otp chalresp --touch --generate 2” did not work for me, so I used the Yubikey Personalization Tool to put the configuration into slot 2 of my Yubikey.

Good Luck.

I’m not sure. I can say for certain yubico doesn’t appear in the Nix plaintext, anywhere in my system configurations. (Though Yubico does for the filepath for the u2f keys).

╭ zeph  ~  356ms
╰🡒  ykman info
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
Device type: YubiKey 5 NFC
Serial number: [redact]
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO, CCID
NFC transport is enabled

Applications	USB     	NFC
Yubico OTP  	Disabled	Enabled
FIDO U2F    	Enabled 	Enabled
FIDO2       	Enabled 	Enabled
OATH        	Disabled	Enabled
PIV         	Enabled 	Enabled
OpenPGP     	Enabled 	Enabled
YubiHSM Auth	Disabled	Enabled

(Note how my OTP part of my yubikey is disabled)

Maybe you have the FIDO U2F applet disabled?

Otherwise, I’m not sure :confused:

I just tested this again though:

❯ pamu2fcfg
Enter PIN for /dev/hidraw10:

I typed my FIDO2 pin and then had to tap the device to finalize. I don’t have PIV configured at all on these yubikeys.

This is a different string than the one I already had for this yubikey, but the existing one still works too (just confirmed by locking Cosmic and tapping my yubikey to unlock it). And a good exercise to do, I actually needed to enroll my USB-C for PAM.

Ah-ha… I didn’t know to tap the Yubikey, I typed in the FIDO2 pin . pressed Enter, and thought it hung!


1 Like