I followed the official Yubico guide to enable Challenge-Response 2FA on my account, However on a reboot the login prompts for the Yubikey, then asks for my password, and then repeats these 2 prompts with no end. If I switch to a TTY and attempt to login with root, I get an Authentication Failure message after it prompt for both the Yubikey and my password. For now, I just want to find a way to disable 2FA so that I can diagnose and fix the problem in my own time.
My question is, If I boot with a live CD and simply comment out the line in the PAM configuration file, will that be sufficient to allow me to get back into my laptop?
Boot rom a live CD.
Mount your root file system at some place, and bind mount
/dev,/procand/sys. Assuming your root file system is mounted at/mntin the live session, the following commands will do this:Then you have to chroot to your system
Edit your PAM configuration and comment out the relevant line, like you suggested - and after saving the file, run
pam-auth-updateand disable the yubikey module.For my case, if I pulled the Yubikey out, I could get in using regular password login. I then moved the following files to
/etc/pam.disabled:i.e.,
You can then test by plugging in the Yubikey, locking the screen (Super+L or Lock if your keyboard has it), and you should see your happy familiar password prompt instead of the smartcard prompt.
Nit: Just because I install smartcard software doesn't mean I want to login that way. This wasn't happening just a few versions ago. There should be a way to install the PKCS11 drivers without enabling them for PAM challenges.