So now you have used your solokeys to do some logging into your linux machine, but by now you have maybe gotten a bit annoyed about having to both input a password AND have the key inserted and pressed.

Don’t worry! you can also use your SoloKey as primary source of authentication and only require password if your key is not available.

The way for doing this is almost identical as for when you used it together with a password. When you however add the change to the files in /etc/pam.d/ then you instead add the following line BEFORE the line with @include common-auth instead of after.

auth sufficient pam_u2f.so

You have to remove the previous line you inserted after the common-auth line if you have previously followed my other guide.

Notice the difference between the new line you inserted and the one you previously inserted? The big difference is the word “sufficient”, which tells PAM that if you do have your SoloKey available, then it will be sufficient authentication for the login. If the SoloKey is not available, then it will fall through to the next line where common-auth (aka password login) takes over.

Can’t get much more easy than that and it even works when you forget your SoloKey. This is however also the downside of this as it will actually not strengthen your Linux security but more likely weaken it (as now a bad guy can either steal your SoloKey or your password to login – both with get him access!!).

The setup with having only the soloKey for login is very convenient for especially sudo, but I would not recommend it if you are very security conscious.

PS: Do remember to support the new super-cool SoloKey Project called Somu. It is a tiny usb hardware key that almost fits completely into the usb socket of your computer. Pretty brilliant if you as me. Sign up to support her it at crowdsupply