Changes
Added section on U2F
The test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after <code>auth sufficient pam_rootok.so</code>.
* Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver.
== U2F (Universal Second Factor) with Duo [[gp:2FA|2FA]] (Yubikey NEO and 4 only) ==
To use U2F on the yubikey, one must first enable U2F mode (only supported on NEO and 4). The U2F-only yubikey already supports U2F out of the box
From the yubikey personalization client man page:
'''YubiKey Neo only'''
-m mode
set device configuration for the YubiKey. It is parsed in the form mode:cr_timeout:autoeject_timeout where mode is:
0
OTP device only.
1
CCID device only.
2
OTP/CCID composite device.
3
U2F device only.
4
OTP/U2F composite device.
5
U2F/CCID composite device.
6
OTP/U2F/CCID composite device. Add 80 to set MODE_FLAG_EJECT, for example: 81
cr_timeout is the timeout in seconds for the YubiKey to wait on button press for challenge response (default is 15)
autoeject_timeout is the timeout in seconds before the card is automatically ejected in mode 81
-n URI
Program NFC NDEF URI
-t text
Program NFC NDEF text
The <pre> -m <\pre> flag applies to the yubikey 4 as well. Use this to enable U2F. I do not know if U2F is supported over NFC for the NEO
For Duo, U2F devices can be self-registered.
== External links ==
