3

I have added the yubikey pam module to my sudo pam config, and I like the results—no one can get superuser access through sudo or su without a yubikey.

Setting aside the fact that this is possibly excessive security for a personal machine, I am trying to figure out how to require the yubikey for gnome admin upgrade password requests also, but I don't want to use it to log in/unlock the screen, just to gain admin access.

However, when I look at the pam modules, I see gdm-password and login (plus others of course), neither of which seems ideal for what I want to do.

Is it possible to do this? If so, which pam module would I need to alter?

I am on Ubuntu 18.04, gnome-shell 3.28.1, kernel version 4.15.0-23-generic

Mike D
  • 133

1 Answers1

5

Most GUI prompts on a modern Ubuntu release are for authenticating to Polkit: the Software update/install prompts, changing settings in Disks or User Accounts, etc. Additionally, on the command line, using systemctl (and systemctl-based commands like shutdown, reboot, etc.) also authenticate via Polkit (if you don't use sudo). For all of these, the applicable PAM stack would be Polkit's: /etc/pam.d/polkit-1.

muru
  • 1,336