linutil icon indicating copy to clipboard operation
linutil copied to clipboard
verified publisher icon ChrisTitusTech

feat: add YubiKey pam_u2f setup

Open TuxLux40 opened this issue 2 months ago • 1 comments

Type of Change

YubiKey PAM Setup Utility

  • Added a new entry for YubiKey PAM Setup to core/tabs/utils/tab_data.toml, enabling selection from the utility tab.
  • Created the script core/tabs/utils/yubikey-pam-setup.sh to automate configuration of PAM files for YubiKey authentication, including interactive target selection, backup of relevant files, deduplication of PAM config entries, secure enrollment, and rollback guidance.

Documentation

  • Updated docs/userguide.md to describe the new YubiKey PAM Setup utility and its purpose.] New feature
  • [x] Added new feature
  • [ ] Bug fix
  • [x] Documentation update
  • [ ] Refactoring
  • [ ] Hotfix
  • [ ] Security patch
  • [ ] UI/UX improvement

Description

This pull request adds a new utility for "YubiKey PAM setup", allowing users to configure sudo and other PAM targets to require YubiKey (U2F) touch authentication with password fallback. The main changes include introducing the setup script, updating configuration files to register the new utility, and documenting its usage.

Testing

Tested on Arch (CachyOS to be specific). Sudo and system-auth were tested and are working. Debian and Fedora not yet tested.

Impact

A new YubiKey PAM setup option now appears in Utilities, PAM configs/backups get touched when run.

Issues / other PRs related

system-auth: The script does not yet handle avoiding duplication of lines in the system-auth file correctly like it does for sudo

Additional Information

Checklist

  • [ ] My code adheres to the coding and style guidelines of the project.
  • [x] I have performed a self-review of my own code.
  • [ ] I have commented my code, particularly in hard-to-understand areas.
  • [x] I have made corresponding changes to the documentation (cargo xtask docgen).
  • [x] My changes generate no errors/warnings/merge conflicts.

TuxLux40 avatar Oct 31 '25 00:10 TuxLux40

i'm sorry but there is no way i'm ever approving something like this...

  1. this doesn't adhere our code style at all
  2. it's clearly all ai
  3. what even are those comments supposed to be
  4. a LOT of unnecessary code, practically unmaintainable

not closing this just in case you want to rewrite it all by hand and make it make sense

Sorry, this was my first PR. I'll work on it.

TuxLux40 avatar Oct 31 '25 18:10 TuxLux40

Wow, this is a terrible PR. Some feedback before closing this and future PRs:

  1. First only change 1 thing and make a PR on that. Making a "nuke the world" commit like this would completely screw up all of the project and cause massive issues for everyone (contributors, users, etc.)
  2. Using AI to add over 8,000 lines of code is just terrible. Using AI to remove a few lines and make a concise PR is ok as long as it is testing and doesn't add tech debt or "bloat".
  3. Look at past examples of scripts and follow the structure of those scripts. Do NOT just make entire new structure and ignore all the current scripts.
  4. You are mixing POSIX and bash compliance in and out of all the scripts. POSIX compliance helps make sure all the scripts run on all shells or at least the most used ones. Bash compliance generally only works with people using bash.

ChrisTitusTech avatar Dec 02 '25 19:12 ChrisTitusTech