The instructions to register a key with the local account were
implicitly requiring challenge-response. Add the YubiCloud method based
instructions and also add an explicit command to configure
challenge-response in slot 2 of a key.
The man page of ykpersonalize uses a confusing format for providing
option flags. After tests although not documented in the man page it is
also possible to use an alternative format using spaces between option
flag and value. Also to note: the negative form of an option flag uses a
'-' symbol right in front of the value.
Also the slot selector -1 or -2 has to be supplied before any option
flag.
The access to the ~/.yubico directory is done using the PAM module, not
sshd directly. PAM sets the context of that directory to auth_home_t
which PAM is allowed to access. No need to set the context to
ssh_home_t.
Apart from that using chcon is a volatile operation and not intended for
persistent changes which was the intent of the note though. The label
would be reset in a system recovery scenario.
Changed the structure and content of the section to reflect more modern
tooling available in recent Fedora Linux distributions.
Simplified overall structure and added challenge-response configuration.
Removed the more complicated authfile option as it is an option for more
advanced use-cases but not necessary for a basic setup. More advanced
users may refer to the pam_yubico man page.
Added a warning about locking yourself out when using required
configuration.
There are a couple of methods to install a certificate into the trust
store: using "trust anchor" or copying the file to
/etc/pki/ca-trust/source/anchors/. The former is simpler and more
flexible as it doesn't require update-ca-trust and the installed
certificates can be removed with "trust anchor --remove".
For more context, see:
https://bugzilla.redhat.com/show_bug.cgi?id=2163554
Signed-off-by: Daiki Ueno <dueno@redhat.com>