Use yubikey authentication on multiple hosts

To use my yubikey for login and sudo on multiple hosts, do I need to run the commands here on every host? I’m trying to get login and sudo working on an ISO, and I’ve followed the instructions for my current host, but not the ISO. All the relevant NixOS options seem to be set correctly.

Could you link to the official wiki, adding an anchor to the commands you’re running? Or simply repeating the commands you’re running verbatim here?

The unofficial wiki seems to do something weird with cloudflare that results in your anchor being deleted and replaced with what is presumably an anti-bot query token (so I have no idea which commands you’re referring to).

That wiki is also pretty prone to geoblocks and such, so it causes issues for international readers, and archiving efforts are probably thwarted by it too. I really recommend using the official wiki whenever possible. At the very least linking to the official wiki would be appreciated to help solve the SEO issues. If manually checking the links is too much, consider blocking the unofficial one in your search engine or using a redirect add-on for your browser.

Got it! Link’s been updated. Got confused which one was the official wiki, and didn’t realize the unofficial one had so many problems!

Otherwise, yeah, the pam commands are the ones I used.

Gotcha. In that case:

No, though avoiding that takes a little bit of work.

Assuming you want to do this with pure NixOS, the central authorization mapping approach is probably the most appropriate. You’ll have to get the public keys as detailed in those docs, and then set the user mapping like this:

{ pkgs, ... }: {
  security.pam.u2f.authFile = pkgs.writeText "u2f-mappings" ''
    <username1>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:...
  '';
}

Those are definitely public keys, so you shouldn’t need to keep them confidential. Hopefully the permissions aren’t an issue, either.

Once you’ve done that you can just copy this config to every host where you want to use your yubikey for auth. The key should be static.

Hmm… Currently, I’m adding the file with the public keys to the git repo then linking the file with home-manager to all my users. Does that not work? If not, how can I set the auth file for all my users?

EDIT: Ah, no, wait; understood what you meant. I’ll try it out and report back.

Well, it works on my computer™, but not on the ISO built on my configuration. I’ve disabled the module that sets the security protocols for ISOs, but I still have to use my password to get superuser access instead of my Yubikey. Anything else I have to set up?

That’s quite a different beast. It’ll depend on how you’ve set up your ISO, which is by no means standardized.

What “security protocol” module are you even referring to? If you disabled PAM it’s not much of a surprise that PAM isn’t able to authenticate you.

That would make sense. Basically I’ve disabled ${modulesPath}/profiles/installation-device, which sets a few security options, but I’ve manually imported all its imported modules, such as ${modulesPath}/installer/cd-dvd/channel.nix, etc. I’m assuming there are some PAM options set in them using mkImageOverride that I need to unset?

Also, PAM seems to be enabled on the ISO.