Locked out from system after adding Yubikey 2FA

I followed the official Yubico guide to enable Challenge-Response 2FA on my account, However on a reboot the login prompts for the Yubikey, then asks for my password, and then repeats these 2 prompts with no end. If I switch to a TTY and attempt to login with root, I get an Authentication Failure message after it prompt for both the Yubikey and my password. For now, I just want to find a way to disable 2FA so that I can diagnose and fix the problem in my own time.
My question is, If I boot with a live CD and simply comment out the line in the PAM configuration file, will that be sufficient to allow me to get back into my laptop?


Solution 1:

Boot rom a live CD.

Mount your root file system at some place, and bind mount /dev, /proc and /sys. Assuming your root file system is mounted at /mnt in the live session, the following commands will do this:

sudo mount --bind /proc /mnt/proc
sudo mount --bind /dev /mnt/dev
sudo mount --bind /sys /mnt/sys

Then you have to chroot to your system

sudo chroot /mnt

Edit your PAM configuration and comment out the relevant line, like you suggested - and after saving the file, run pam-auth-update and disable the yubikey module.

Solution 2:

For my case, if I pulled the Yubikey out, I could get in using regular password login. I then moved the following files to /etc/pam.disabled:

lrwxrwxrwx   1 root root   31 Apr 29 23:40 gdm-smartcard -> /etc/alternatives/gdm-smartcard
-rw-r--r--   1 root root 1.3K Feb 25 11:42 gdm-smartcard-pkcs11-exclusive
-rw-r--r--   1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-exclusive
-rw-r--r--   1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-or-password

i.e.,

sudo -i
mkdir /etc/pam.disabled
cd /etc/pam.d
mv *smartcard* ../pam.disabled/

You can then test by plugging in the Yubikey, locking the screen (Super+L or Lock if your keyboard has it), and you should see your happy familiar password prompt instead of the smartcard prompt.

Nit: Just because I install smartcard software doesn't mean I want to login that way. This wasn't happening just a few versions ago. There should be a way to install the PKCS11 drivers without enabling them for PAM challenges.