Post

Twice-Touched: An Arch Adventure With Yubikey

Posted
By Th3_4ngl3r
6 min read
Twice-Touched: An Arch Adventure With Yubikey

The Yubikey Spark

I was a bored cyber security engineer on a rainy Sunday afternoon with nothing to do but poke at the edges of my laptop. It was the kind of boredom that feels like an invitation to mess around and find out. I wanted a project that would be equal parts fiddly and satisfying, something that would make the machine feel like mine again. Two-factor authentication had been nagging at me for months—I wanted real 2FA, not just an app on my phone—so I ordered a YubiKey and decided to turn that idle afternoon into an adventure: install Arch Linux from scratch and wire the YubiKey into both the command line and my Plasma desktop login.

Installing Arch felt like a ritual. Partitioning, pacstrap, chroot, the little victories and the tiny, terrifying errors (forgetting to install sudo). When the system finally booted, it was quiet and clean and mine. Next came the part that made my heart beat a little faster: integrating the YubiKey.

I set up PAM, wrong, several times, so that the CLI would require the usual username and password, then prompt for the hardware token. The first time I rebooted with SDDM disabled, the machine dropped me to a prompt asking for my username and password. I typed them in, and the YubiKey began to blink. It was an honest to God, mechanical little heartbeat. I giggled, touched it, and the session unlocked. That blink and that single, decisive touch felt like a handshake between me and the machine. Victory was mine.

Caution, Then Rescue

I had intentionally left SDDM disabled while I tested things. I didn’t want a misconfigured display manager to corrupt files and lock me out of the graphical stack. That caution lasted until it didn’t. In a moment of overconfidence I tweaked a config, rebooted, and found myself staring at a system that refused to let me in. Dangit, I should have listened to Lintile (D.F.I.U.) but insead, all I could here is (Y.F.I.U.).

Never fear. Rescue mode, frantic edits, and a roll-back later, I learned the hard way that even careful plans need backups and that rescue shells are both terrifying and oddly comforting. Much like hot chocolate as a kid.

Plasma, Hyperland, and the Double Touch Mystery

Once I recovered, I turned my attention to Plasma. The concept was the same: enter username and password, then let the YubiKey finish the job. With SDDM still disabled, the login flow in Plasma behaved similarly—username, password, then the YubiKey blink. But here the hardware developed a quirk: the key would blink, I’d touch it, nothing. Blink again, touch it a second time, and then Hyperland would accept me.

I never fully solved why the double touch was necessary; nor have I really tried. Maybe a timing issue in the PAM stack, maybe a race between the compositor and the authentication agent, maybe a stubborn quirk in the YubiKey’s interaction with the desktop agent. Whatever the cause, the second touch became part of the ritual: type, wait for the blink, touch twice, and then the world of Hyperland unfolded.

Honestly, I could probably just update the config from sufficient to required. But, until I get bored on another day….

The Takeaway

What started as boredom turned into a small, stubborn triumph. I ended up with a system that asks for username and password at boot, then waits for the YubiKey’s blink and a touch to authenticate—on the CLI and in Plasma. I learned to respect the fragility of configuration files, to keep rescue options handy, and to accept that hardware and software sometimes disagree in ways you can only solve by patience and repetition.

The YubiKey’s blink is now a tiny, satisfying punctuation in my day. It’s a reminder that security can be tactile, that a little friction can feel like ownership, and that the best projects are the ones that teach you something you didn’t expect to learn—like how to roll back from rescue mode and why, for reasons still mysterious, Hyperland sometimes wants that second touch.

D.F.I.U.

The End.

How To: Configure Arch Authentication with Yubikey

This walks through installing the required packages, enabling the smartcard daemon, generating a U2F key file for PAM, and verifying the result. Run the commands in order, with the YubiKey inserted when you generate the key file, and protect the resulting file with strict permissions.

Prerequisites

  • A YubiKey or other FIDO2/U2F device inserted into the machine.
  • A working Arch Linux installation with network access.
  • A non-root user account for the key registration step.

Step 1: Install Required Packages

1

sudo pacman -Syu pcsc-tools libfido2 yubikey-manager yubico-pam pam-u2f
  • pacman -Syu updates the package database and upgrades installed packages.
  • pcsc-tools provides utilities to test smartcard readers.
  • libfido2 is the FIDO2 client library required by many tools that talk to U2F/FIDO devices.
  • yubikey-manager (ykman) is Yubico’s management tool for configuring the key.
  • yubico-pam and pam-u2f are PAM modules that enable U2F/FIDO2 authentication for system logins; pam-u2f provides the pamu2fcfg helper used to register keys.

Step 2: Enable the PC/SC Daemon

1

sudo systemctl enable --now pcscd.service

pcscd is the smartcard daemon that provides CCID support and lets the system communicate with the YubiKey over the smartcard interface. Enabling it now ensures the device is accessible when you run registration and when PAM queries the token later.

Step 3: Create the Yubico Configuration Directory

1

mkdir -p ~/.config/Yubico

This creates a per-user directory to store the U2F key mapping file. Using a user-local path avoids exposing keys system-wide and keeps the file under the user’s control.

Step 4: Generate the U2F Key Mapping

1

pamu2fcfg > ~/.config/Yubico/u2f_keys

pamu2fcfg probes the inserted YubiKey and prints a line that maps the device to your username; redirecting it into ~/.config/Yubico/u2f_keys registers that device for PAM U2F authentication. Run this as the user who will authenticate with the key and ensure the YubiKey is inserted and unlocked when you run it. After creation, restrict file permissions so only your user can read it.

1
2

chmod 600 ~/.config/Yubico/u2f_keys

Step 5: Verify the Key File

1

cat ~/.config/Yubico/u2f_keys

This displays the single-line mapping created by pamu2fcfg. Confirm the line contains your username and a public key.

Final Steps and Notes**

  • Integrate with PAM by editing the appropriate PAM service files (for example /etc/pam.d/system-login, /etc/pam.d/sudo, or your display manager’s PAM file) to include the pam_u2f.so module according to your security policy.
  • Test from a rescue shell or secondary TTY before enabling graphical login to avoid lockout. Keep a root shell or live USB handy for recovery.
  • If you need WebAuthn/FIDO2 features beyond PAM U2F, consult libfido2 and browser integration guidance.

I have include examples of my sddm and login pam files for reference.

/etc/pam.d/login

1
2
3
4
5
6
7
8
9
10
11
12

#%PAM-1.0
# YubiKey U2F second factor
auth    sufficient  pam_u2f.so cue

# Fallback to local password
auth    required    pam_unix.so try_first_pass nullok

auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

/etc/pam.d/sddm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#%PAM-1.0
auth required pam_u2f.so
auth required pam_u2f.so cue

auth        include     system-login
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so

account     include     system-login

password    include     system-login
-password   optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start
Linux, Arch
Arch
This post is licensed under CC BY 4.0 by the author.