Login to sddm with yubikey doesn't unlock kde wallet

ejan · January 15, 2026, 8:36pm

I am running nixos inside a vm on Arch linux to create a basic configuration. I have written a pam nix module to login on sddm with my password and a yubikey and expect it to unlock my kde wallet as it does on my existing Arch installation. To replicate my current pam configuration I figured there is an option to make yubikey required on login named security.pam.u2f.control, however it doesn’t apply on nixos (it is not supported) as it defaults to sufficientwhich is kind of useless in terms of security, for it makes it possible to bypass the yubikey on login. Here’s my pam configuration:

{ config, pkgs, ... }: 
{   
    security.pam = {
        u2f = { 
            settings = {
                authfile = "/etc/nixos/Yubico/u2f_keys";
                cue = true;
            };
        }; 
        services = {
            login = {
                unixAuth = true;
                u2fAuth = true;
                enableKwallet = true;
            };
            sudo = {
                u2fAuth = true;
                unixAuth = false;
            };
            sddm = {
                unixAuth = true;
                u2fAuth = true;
                enableKwallet = true;
            }; 
            sddm-autologin = {
                u2fAuth = true;
            };
        };
    };
}

When I do use my password in combination with my yubikey the kde wallet is not automatically unlocked at sddm login, but it does when I only use my password. My question is: Is there a way to unlock my kde wallet at login using my password + yubikey and make yubikey required at login in Nixos?

ejan · January 16, 2026, 5:47pm

Update:
It turns out that required is a valid option and by adding it to my configuration it now succesfully opens my kde wallet at login. Keep in mind that you have to set unixAuth to true in the sudo pam service or you will be locked out of sudo. Here’s my new settings:

 { config, pkgs, ... }:
 {  
     security.pam = {
         u2f = {    
             control = "required";
             settings = {
                 authfile = "/etc/nixos/Yubico/u2f_keys";
                 cue = true;
                 };  
         };    
         services = {
             login = {
                 unixAuth = true;
                 u2fAuth = true;
                 enableKwallet = true;
             };
             sudo = {
                 u2fAuth = true;
                 unixAuth = true;
             };
             sddm = { 
                 unixAuth = true;
                 u2fAuth = true;
                 enableKwallet = true;
             };    
             sddm-autologin = {
                 u2fAuth = true;
             };
         };
     };
 }

There is one caveat, you can’t manually set a security.pam.u2f.control value to sudo or any other pam file. What I want to achieve is that sudo can be executed with just a press on the blinking yubikey and thats not possible without overriding the sudo pam file, as far as I know. Though if there is a better way to get this done in Nixos, please let me know, thanks in advance.

Majiir · January 16, 2026, 5:57pm

This is an easy fix, and I get get to it in the next week or two.

ejan · February 20, 2026, 10:26pm

Is there any update yet on the possibilty to only use u2fauth for sudo?