http://bugzilla.opensuse.org/show_bug.cgi?id=1114258
http://bugzilla.opensuse.org/show_bug.cgi?id=1114258#c3
--- Comment #3 from Björn Voigt
I have a question though: Why do you need to modify the file in the first place? It includes the "common" config (common-auth, common-account, common-password, common-session), wouldn't it work to just change those instead?
We use Yubikey keys to secure laptops, desktops, network services like VPNs with a second factor additional to the username/password authentication. A Yubikey is a multi-function device (OTP generator, smart card device, U2F device etc.) with some open source libraries and tools, e.g. pam_yubico, pam_u2f, yubioath-desktop etc. Not all Yubico PAM modules are compatible with all PAM services. We use pam_yubico in OTP mode on always connected computers for desktop login and in challenge-response mode for devices like laptops for desktop login. Authentication in OTP mode works like this e.g. in Kscreenlocker: * screen is locked * user types in his password (and does not type Enter) * user taps on the Yubikey button (the device generates 44 character long random sequence - it is not really random, it is based on a builtin secret - and types Enter) * PAM module pam_yubico strips the last 44 characters from password and sends it to a Yubico authentication server in the cloud * if the response is "ALLOW", then the normal pam_unix library (or any other PAM library) checks the password (the entered password without the last 44 characters) * if the password is OK, the user has unlocked the display It works the same way with "login", "sddm" and optionally with some other PAM services. (SDDM has a bug with nearly expired passwords - see https://bugzilla.opensuse.org/show_bug.cgi?id=969813. And it is not nice, the Kscreenlocker does not use the PAM configuration of SDDM or any other display manager.) Unfortunately some (PAM) services are not compatible with OTP. The best example is an IMAP server. If the mail client queries the IMAP server every 5 minutes, the user can not be forced to tap the Yubikey key every 5 minutes. So IMAP and many other services have to be secured in a different way, this means with a different PAM configuration. See "man pam_yubico" or https://github.com/Yubico/yubico-pam -- You are receiving this mail because: You are on the CC list for the bug.