OS: Fedora Linux 37. I followed this instructions to set up FIDO U2F auth: Desktop Login And Linux User Authentication - Nitrokey Documentation.
Since Fedora does’n have a /etc/pam.d/common-auth file, I added the auth sufficient pam_u2f.so ... entry to the following files:
/etc/pam.d/sudo
/etc/pam.d/gdm-password
/etc/pam.d/login
It works perfectly with sudo in terminal and GDM login screen, but it doesn’t work if I, for example, run GParted or Disk Utility and it prompts me to enter a user password instead of touching the Nitrokey 3A NFC:
In theory, the /etc/pam.d/gdm-password file should be responsible for this, but my case it only works with the login screen. What could be the reason?
/etc/pam.d/nitrokey-sufficient:
#Nitrokey FIDO2 config
#%PAM-1.0
auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok
/etc/pam.d/gdm-password:
auth include nitrokey-sufficient
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
The solution is to add auth include nitrokey-sufficient to the /etc/pam.d/system-auth and /etc/pam.d/password-auth files.
