Locked out from system after adding Yubikey 2FA
I followed the official Yubico guide to enable Challenge-Response 2FA on my account, However on a reboot the login prompts for the Yubikey, then asks for my password, and then repeats these 2 prompts with no end. If I switch to a TTY and attempt to login with root, I get an Authentication Failure message after it prompt for both the Yubikey and my password. For now, I just want to find a way to disable 2FA so that I can diagnose and fix the problem in my own time.
My question is, If I boot with a live CD and simply comment out the line in the PAM configuration file, will that be sufficient to allow me to get back into my laptop?
Solution 1:
Boot rom a live CD.
Mount your root file system at some place, and bind mount /dev
, /proc
and /sys
. Assuming your root file system is mounted at /mnt
in the live session, the following commands will do this:
sudo mount --bind /proc /mnt/proc
sudo mount --bind /dev /mnt/dev
sudo mount --bind /sys /mnt/sys
Then you have to chroot to your system
sudo chroot /mnt
Edit your PAM configuration and comment out the relevant line, like you suggested - and after saving the file, run pam-auth-update
and disable the yubikey module.
Solution 2:
For my case, if I pulled the Yubikey out, I could get in using regular password login. I then moved the following files to /etc/pam.disabled
:
lrwxrwxrwx 1 root root 31 Apr 29 23:40 gdm-smartcard -> /etc/alternatives/gdm-smartcard
-rw-r--r-- 1 root root 1.3K Feb 25 11:42 gdm-smartcard-pkcs11-exclusive
-rw-r--r-- 1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-exclusive
-rw-r--r-- 1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-or-password
i.e.,
sudo -i
mkdir /etc/pam.disabled
cd /etc/pam.d
mv *smartcard* ../pam.disabled/
You can then test by plugging in the Yubikey, locking the screen (Super+L or Lock if your keyboard has it), and you should see your happy familiar password prompt instead of the smartcard prompt.
Nit: Just because I install smartcard software doesn't mean I want to login that way. This wasn't happening just a few versions ago. There should be a way to install the PKCS11 drivers without enabling them for PAM challenges.