Setting Up YubiKey 5C for sudo on Fedora Linux

Feb 9, 2026

Want to ditch typing your password every time you run sudo? Here's how to use your YubiKey 5C with Fedora's PAM system for passwordless (or 2FA) sudo authentication using FIDO U2F.

Install Dependencies

sudo dnf install -y pam-u2f pamu2fcfg

Install FIDO U2F packages

Register Your YubiKey

Create the config directory and register your key. Touch the YubiKey when it blinks.

mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

# Touch the YubiKey to confirm

Generate keys

To register a backup key, append it:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Configure PAM

Edit /etc/pam.d/sudo with your preferred setup. Keep a root shell open as a safety net before making changes.

Passwordless sudo (YubiKey replaces password)

Add the auth required pam_u2f.so cue [cue_prompt="Please touch your YubiKey"] line to the /etc/pam.d/sudo. This way, it will only ask for the YubiKey if it is inserted, otherwise it will default to the next method.

#%PAM-1.0
auth       sufficient   pam_u2f.so cue [cue_prompt="Please touch your YubiKey"]
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

/etc/pam.d/sudo (Prefer YubiKey if present)

The sufficient keyword means a successful YubiKey touch skips the password entirely. If the key isn't present, it falls back to the normal password prompt.

2FA (Password + YubiKey)

Now, it will enforce the presence of both Password + YubiKey.

WARNING: you can lock yourself out of the system if you don't know what you are doing here.

#%PAM-1.0
auth       substack     system-auth
auth       required     pam_u2f.so cue [cue_prompt="Please touch your YubiKey"]
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

/etc/pam.d/sudo (Require Password and YubiKey)

Note the change from include to substack — this prevents system-auth from short-circuiting past the YubiKey check. With this setup you'll enter your password first, then touch your key.

Test It

Open a new terminal (keep the old one with root access) and run:

sudo echo "YubiKey auth works!"

Your key should blink — tap it to authorize.

Tips

Apply the same changes to /etc/pam.d/sudo-i if you use sudo -i.
Add pinverification=1 to the pam_u2f.so line if you want to require the YubiKey's FIDO2 PIN before touch.
Always have a backup key registered — if you lose your only key with required mode, you're locked out of sudo.

References

Fedora-specific YubiKey U2F guide (GitHub) — Detailed walkthrough for Fedora KDE with the include → substack change and full PAM examples. https://github.com/Zer0CoolX/Fedora-KDE-Yubikey-U2F-2FA-Logins-Guide
Yubico's official pam-u2f documentation — The upstream reference for all pam_u2f.so options like authfile, cue, nouserok, etc. https://developers.yubico.com/pam-u2f/
PAM config Gist for Fedora — Clean, copy-pasteable full /etc/pam.d/sudo examples for both sufficient and required modes. https://gist.github.com/vincentbockaert/4823c6adb36ba54e2a7f4fe73ebb72f3
Fedora Magazine — How to use a YubiKey with Fedora Linux — Official Fedora Magazine article covering YubiKey setup and the authselect approach. https://fedoramagazine.org/how-to-use-a-yubikey-with-fedora-linux/

Luiz Costa

I am a senior software engineer at Red Hat / Ansible. I love automation tools, games, and coffee. I am also an active contributor to open-source projects.

Force HTTPS Over SSH for GitHub

Using a YubiKey 5C for SSH and Git Authentication on Linux