I recently bought a new yubikey and found some nice resources that show you how. The upshot is that once you have setup your yubikey with pamu2f it can serve as the ONLY source of authentication (some might not like this) w/o a password being required. For my home machine this is a nice setup, because it prevents 'non local' people from stealing my password, and is dreadfully convenient.
- Generate a proper pamu2f fido entry
pamu2fcfg -o pam://<yourhostname> -i pam://<yourhostname> > ~/.config/Yubico/u2f_keys - Add the following lines to various /etc/pam.d things as the FIRST line (be sure to use sufficient until you are sure everything works or you WILL LOCK yourself
auth sufficient pam_u2f.so cue origin=pam://<hostname> appid=pam://<hostname> # for sudo in /etc/pam.d
auth required pam_u2f.so nouserok origin=pam://<hostname>violet appid=pam://<hostname> # for lightdm or various others
auth sufficient pam_u2f.so origin=pam://<hostname> appid=pam://<system> # for system-auth- You can add this to almost any service, sudo, su etc. just by adding appropriate name to your pam.d service in quesiton. The above get rid of arch annoyances every time you install a package. Just press the yubikey and POOF.