And I have added the following packages:
yubioath-flutter
yubikey-manager-qt
yubikey-touch-detector
yubikey-personalization-gui
yubikey-manager
pam_u2f
yubikey-personalization
libu2f-host
I don’t know if all the packages that I installed are necessary.
I need the proper procedures to add the required packages and define everything properly to enable Yubikey login to gnome. Somebody please help ?
I am following the wiki to create the u2f_keys file. :
Connect your Yubikey
Create an authorization mapping file for your user. The authorization mapping file is like ~/.ssh/known_hosts but for Yubikeys.
nix-shell -p pam_u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
add another yubikey (optional): pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
But upon running pamu2cfg it is asking me for a PIN !
Enter PIN for /dev/hidraw3:
I keyed in my FIDO2 PIN and that is not correct.
Google Gemini AI says it is then probably the PIV pin. But I have only setup a Google Advanced Protection PIN, which is a FIDO2 pin. So I used Yubikey Manager to reset the PIV. And then supplied that new PIV pin and PUV pin and both didn’t work.
Did you encounter this ? Or did you use a different method to generate this u2f_keys file ?
];
I think the module pam_u2f may not be required,
I followed Yubikey - NixOS Wiki, and used the “yubico-pam” section.
The 2nd step “ykman otp chalresp --touch --generate 2” did not work for me, so I used the Yubikey Personalization Tool to put the configuration into slot 2 of my Yubikey.
I’m not sure. I can say for certain yubico doesn’t appear in the Nix plaintext, anywhere in my system configurations. (Though Yubico does for the filepath for the u2f keys).
╭ zeph ~ 356ms
╰🡒 ykman info
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
Device type: YubiKey 5 NFC
Serial number: [redact]
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO, CCID
NFC transport is enabled
Applications USB NFC
Yubico OTP Disabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Disabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Disabled Enabled
(Note how my OTP part of my yubikey is disabled)
Maybe you have the FIDO U2F applet disabled?
Otherwise, I’m not sure
I just tested this again though:
❯ pamu2fcfg
Enter PIN for /dev/hidraw10:
cole:c2OtN[redact]XsaPA==,es256,+presence%
I typed my FIDO2 pin and then had to tap the device to finalize. I don’t have PIV configured at all on these yubikeys.
This is a different string than the one I already had for this yubikey, but the existing one still works too (just confirmed by locking Cosmic and tapping my yubikey to unlock it). And a good exercise to do, I actually needed to enroll my USB-C for PAM.