YubiKey: Passwordless Sudo

Use a YubiKey touch to replace your password for sudo .

Install pam-u2f

sudo pacman -S pam-u2f
mkdir -p ~/.config/Yubico

Register the keys

pamu2fcfg > ~/.config/Yubico/u2f_keys       # primary key
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys   # append backup key

Edit PAM

⚠️ Warning: Keep a root session open in another terminal in case something goes wrong.

sudo nano /etc/pam.d/sudo

Add at the top:

auth sufficient pam_u2f.so cue

• sufficient → the YubiKey alone is enough to authenticate.
• Change to required if you want 2FA (YubiKey and password).
• cue prints a hint when a touch is needed.

Test it

sudo -s
Please touch the FIDO authenticator.