pam is the thing that controls auth to a linux system.
It's supposed to be a serial chain of options,
a sufficient module should terminate an auth process with success,
while include should just include everything from a file.
What I want: auth by fingerprint, yubikey, or password, in that order. The important flows for me are system login (tty) and sudo.
Reading through the include chains of auth,
I thought login was: login -> system-local-login -> system-login -> system-auth
and sudo was: sudo -> system-auth.
I thought that I could just add both pam_fprintd.so and pam_u2f.so to system-auth.
However, when I tried that,
sudo worked,
but logging in to a tty would trigger all 3 auth options, then still fail.
Some experimenting later,
I realized that it was pam_shells.so that was somehow interfering with the login process.
So I could either remove the module
or place both pam_fprintd.so and pam_u2f.so somewhere before pam_shells.so was called.
Here's the auth chains I ended up with:
1auth required pam_securetty.so
2auth requisite pam_nologin.so
3auth include system-local-login
1auth sufficient pam_fprintd.so max-tries=2 timeout=15
2auth sufficient pam_u2f.so cue origin=pam://hwaryun appid=pam://hwaryun authfile=/etc/u2f_keys [cue_prompt=touche]
3auth include system-login
1auth required pam_shells.so
2auth requisite pam_nologin.so
3auth include system-auth
1auth sufficient pam_fprintd.so max-tries=2 timeout=15
2auth sufficient pam_u2f.so cue origin=pam://hwaryun appid=pam://hwaryun authfile=/etc/u2f_keys [cue_prompt=touche]
3-auth [success=2 default=ignore] pam_systemd_home.so
4auth [success=1 default=bad] pam_unix.so try_first_pass nullok nodelay
5auth [default=die] pam_faillock.so authfail
6auth optional pam_permit.so
7auth required pam_env.so
8auth required pam_faillock.so authsucc
1auth include system-auth