Locked out from system after adding Yubikey 2FA

password login yubikey

I followed the official Yubico guide to enable Challenge-Response 2FA on my account, However on a reboot the login prompts for the Yubikey, then asks for my password, and then repeats these 2 prompts with no end. If I switch to a TTY and attempt to login with root, I get an Authentication Failure message after it prompt for both the Yubikey and my password. For now, I just want to find a way to disable 2FA so that I can diagnose and fix the problem in my own time.
My question is, If I boot with a live CD and simply comment out the line in the PAM configuration file, will that be sufficient to allow me to get back into my laptop?


Solution 1:

Boot rom a live CD.

Mount your root file system at some place, and bind mount /dev, /proc and /sys. Assuming your root file system is mounted at /mnt in the live session, the following commands will do this:

sudo mount --bind /proc /mnt/proc
sudo mount --bind /dev /mnt/dev
sudo mount --bind /sys /mnt/sys

Then you have to chroot to your system

sudo chroot /mnt

Edit your PAM configuration and comment out the relevant line, like you suggested - and after saving the file, run pam-auth-update and disable the yubikey module.

Solution 2:

For my case, if I pulled the Yubikey out, I could get in using regular password login. I then moved the following files to /etc/pam.disabled:

lrwxrwxrwx   1 root root   31 Apr 29 23:40 gdm-smartcard -> /etc/alternatives/gdm-smartcard
-rw-r--r--   1 root root 1.3K Feb 25 11:42 gdm-smartcard-pkcs11-exclusive
-rw-r--r--   1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-exclusive
-rw-r--r--   1 root root 1.4K Feb 25 11:42 gdm-smartcard-sssd-or-password

i.e.,

sudo -i
mkdir /etc/pam.disabled
cd /etc/pam.d
mv *smartcard* ../pam.disabled/

You can then test by plugging in the Yubikey, locking the screen (Super+L or Lock if your keyboard has it), and you should see your happy familiar password prompt instead of the smartcard prompt.

Nit: Just because I install smartcard software doesn't mean I want to login that way. This wasn't happening just a few versions ago. There should be a way to install the PKCS11 drivers without enabling them for PAM challenges.

Related

How to get the size for all subdirs in Krusader
Can you install software and tools using a script? [duplicate]
How do I change my login screen on lubuntu?
Running Virtualbox 6.1.22 on Ubunti 21.04, I get 'Effective UID is not root' every time it try to start a VM
BioX 4.6 won't launch: "An illegal reflective access operation has occurred."
How to unpack EaseUs Todo backup .PBD files on Ubuntu
Ubuntu 18.04 failed to resolve VPN DNS when select "Use this connection only for resources on this network"
network not working updating to kernel 5.8 ubuntu 20.04
How to remove Microsoft Office icons?
Lecture from the local System Administrator
You do not have permission to extract to this folder
Converting image to Jpeg2000 does not work