3

I have added the yubikey pam module to my sudo pam config, and I like the results—no one can get superuser access through sudo or su without a yubikey.

Setting aside the fact that this is possibly excessive security for a personal machine, I am trying to figure out how to require the yubikey for gnome admin upgrade password requests also, but I don't want to use it to log in/unlock the screen, just to gain admin access.

However, when I look at the pam modules, I see gdm-password and login (plus others of course), neither of which seems ideal for what I want to do.

Is it possible to do this? If so, which pam module would I need to alter?

I am on Ubuntu 18.04, gnome-shell 3.28.1, kernel version 4.15.0-23-generic

Mike D
  • 133
  • 6
  • 1
    That is probably the GNOME polkit authentication agent, and the corresponding PAM stack would be polkit's (`/etc/pam.d/polkit-1`). – muru Jul 02 '18 at 08:01
  • Correct! That worked. Would you mind re-writing as an answer so I can accept it? – Mike D Jul 03 '18 at 00:05

1 Answers1

5

Most GUI prompts on a modern Ubuntu release are for authenticating to Polkit: the Software update/install prompts, changing settings in Disks or User Accounts, etc. Additionally, on the command line, using systemctl (and systemctl-based commands like shutdown, reboot, etc.) also authenticate via Polkit (if you don't use sudo). For all of these, the applicable PAM stack would be Polkit's: /etc/pam.d/polkit-1.

muru
  • 1,195
  • 9
  • 33
  • For anyone who wants to add offline yubikey 2FA for root access, you can follow the guide here: https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html but instead of using the common-auth module, use the `polkit-1` module like muru says, as well as the `sudo` and `su` modules. Be aware you can permanently lock yourself out of your system if you aren't careful. – Mike D Jul 03 '18 at 18:17