Overview

WARNING
Log into one or more VT's as a privileged user. (Crtl + Alt + F1-12)
WARNING

This guide builds off the previous U2F sudo guide.
Ensure you have at least setup the mapping file as per the guide, as we will make use of the same mapping file.
You will also need Yubico's pam-u2f software installed, this is also covered in the U2F sudo guide.

This guide focus on using LightDM as a login manager and screen saver.

Requirements

  • U2F security key(s) (I am using Yubikeys)
  • Mapping file from U2F sudoe guide
  • Yubico's pam-u2f installed
  • LightDM login/screen-saver

Steps

WARNING
Log into one or more VT's as a privileged user. (Crtl + Alt + F1-12)
WARNING

Ensure you have logged into one or more VT's. This will allow you to fix PAM if you have made a mistake with PAM.
Failing to have extra VT's logged in as a privileged user could result in you been locked you out of your machine entirety.

Configure PAM for password and U2F 2FA

This will ensure we need to tap your U2F key and enter your user password to login/unlock.
For LightDM, you will be prompted to press the Yubikey's physical button, then enter your password.

Open the file /etc/pam.d/lightdm.
At the top of the file insert the following line :

auth	required	pam_u2f.so	 cue authfile=/etc/u2f_mappings

For a breakdown of each section, please see the previous guide on U2F sudo.

An example LightDM login/unlock screen, prompting for me to press the Yubikey :

LightDM touch login

Configure PAM for U2F only with password fall back

This method will let you login/unlock by inserting the Yubikey and taping the physical button. If the Yubikey is not present, it will fall-back to password authentication.

Open the file /etc/pam.d/lightdm.
At the top of the file insert the following line :

auth	sufficient	pam_u2f.so	 cue authfile=/etc/u2f_mappings

For a breakdown of each section, please see the previous guide on U2F sudo.
This is also a handy way to test out PAM, as if you get the Yubikey section wrong it will fall-back to password authentication.

Example for i3Lock

I've not tested this as I do not use i3lock with my i3 WM install.
However it should look something like this /etc/pam.d/i3lock :

#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/login)
#

auth	sufficient	pam_u2f.so	 cue authfile=/etc/u2f_mappings
auth include system-auth

You can also use required in the above vs sufficient. Depending on your needs.