[deehouie]

I just bought two yubikeys; a month later, I returned both. Here is a (major) problem. On a ubuntu box, I installed `libpam-u2f` and set it up for one user account. Turns out it breaks all other user accounts on this ubuntu box, meaning no other user could log in without the key. I contacted their support. No solution.

[nybble41]

PAM is pretty flexible. Can't you just edit the configuration to only include the pam_u2f.so module for a certain user, or for users in a certain group? Or add the nouserok option[1] to allow authentication to proceed in the absence of registered U2F device?

The former approach would look something like this; the "default=1" part skips the next directive (pam_u2f.so) when the test fails (i.e. when the user is not in the mandatory_u2f group):

  auth [success=ignore default=1] pam_succeed_if.so user ingroup mandatory_u2f
  auth required pam_u2f.so cue

[1] https://developers.yubico.com/pam-u2f/ "nouserok … Set to enable authentication attempts to succeed even if the user trying to authenticate is not found inside authfile or if authfile is missing/malformed."

[denysvitali]

I guess you can write your own pam module and use maybe an argument (your username) as a parameter. Just talking hypothetically: I think it should be possible

[Semaphor]

I don’t have a clue, but just from your description, it sounds like a bug in Ubuntu?