I recently purchased a U2F security key, and I have successfully configured my Ubuntu 18.04 machine to require authentication via the key as well as my usual password to log in. I am hoping to change my authentication configurations such that:
- When I first login to my machine, I need to both enter my password and insert my U2F key
- When I lock my already-logged-in machine, I need only to insert my U2F key to unlock it.
Is this something that is possible with the stock GNOME lock screen? If so, which pam configuration do I have to edit?
Currently the only thing I have changed is adding
auth required pam_u2f.so
to /etc/pam.d/gdm-password, under
@include common-auth
Best Answer
GNOME uses
gdm-password
as the PAM service name for both logins and unlocks, so it's not possible to distinguish them in PAM. To do so, you'd have to create a custom build of GNOME Shell, specifically editing js/gdm/util.js to use different service names depending on context. This would be a very useful feature to PR to them were you to do it.