Install pre-required apps

• libfido2
• yubico-c
• yubikey-manager
• yubico-pam
• yubikey-personalization
• yubico-c-client

SUDO

Generate yubikey auth file

mkdir -p ~/.config/Yubico
pamu2fcfg -P > ~/.config/Yubico/u2f_keys

• -P, --no-user-presence - No need to touch the yubikey, don’t add this option if you want touch verification.

Add touchless sudo

Add one of the following line to the file : /etc/pam.d/sudo

#%PAM-1.0
##
## TOUCHLESS SUDO
##
auth            sufficient      pam_u2f.so userpresence=0

##
## NEED TO TOUCH THE YUBIKEY
##
auth            sufficient      pam_u2f.so cue [cue_prompt=Touch your YubiKey]

SSH-KEY

Generate new ssh key

ssh-keygen -t ed25519-sk -O "resident" -O "application=ssh:principal" -O "no-touch-required" -O "user=scrown" -N "" -f ~/.ssh/yubikey_principale_notouch_scrown

Add the public key to server

no-touch-required sk-ssh-ed25519@openssh.com AAAAGn[...]wYWw= key_name

Auto lock screen when removing

Add the following line to the file : /etc/udev/rules.d/80-yubikey-actions.rules

ACTION=="remove", ENV{ID_VENDOR}=="Yubico", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010|0111|0112|0113|0114|0115|0116|0401|0402|0403|0404|0405|0406|0407|0410", RUN+="/usr/bin/loginctl lock-sessions"