Yes it's possible ( https://www.ha-obsession.net/2017/05/u2f-sudo-fedora-25.html... and some other guides exists ) and I used it for about a year. I stopped using it. I was so annoyed to plugin the key every couple of hours that I simply kept the yubi key plugged in all the time - free to be picked by anyone and def. not increasing security.
Leave the yubikey plugged in all the time. It's fine with respect to most threat models, provided you lock the graphical session when you are away from the computer.
If someone steals the key, they can't really do anything with it. They can't sudo because the session is locked. They can't use it to log in your web accounts from other computers because websites ask for a password/pin in addition to touching the yubikey.
PS: you should always have a backup yubikey (or, better, two)
cominous|4 years ago
We still use it for SSH and its great!
mrb|4 years ago
If someone steals the key, they can't really do anything with it. They can't sudo because the session is locked. They can't use it to log in your web accounts from other computers because websites ask for a password/pin in addition to touching the yubikey.
PS: you should always have a backup yubikey (or, better, two)
stingraycharles|4 years ago
https://developers.yubico.com/pam-u2f/
https://developers.yubico.com/yubico-pam/