In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.
Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk
pam_u2f setup are indeed correct that it is fairly simple. For completeness
sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.
One of the things that has been bugging me was why, even with having
pam_rootok.so set in
/etc/pam.d/run_init, I cannot enjoy
passwordless service management without using run_init directly:
# rc-service postgresql-9.2 status Authenticating root. Password: # run_init rc-service postgresql-9.2 status Authenticating root. * status: started
So I …