PAM

https://developers.yubico.com/pam-u2f/
http://seabre.github.io/blog/2015/10/17/local-two-factor-authentication-with-u2f-on-ubuntu-14-dot-04/
apt-get install pam-u2f pamu2fcfg

mkdir ~/.config/Yubico
pamu2fcfg -u $USER > ~/.config/Yubico/u2f_keys 
and press the button on your U2F key when the key is blinking.

Dodac linie do /etc/pam.d/common-auth

# u2f
auth sufficient pam_u2f.so debug cue lub# u2f
auth required pam_u2f.so cue     (su juÅ¼juÃ…Â¼ nie zadziaÅ‚zadziaÃ…â€ša)

LDAP nie testowane

https://developers.yubico.com/yubiauth/LDAP_Setup.html

https://forum.yubico.com/viewtopic.php?f=5&t=744

I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need: OTP+pass bind to LDAP server call to custom saslauthd saslauthd splits OTP and password validates OTP directly queries LDAP (without binding as the user) for yubikey ID and hashed password validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available. https://github.com/meddius/yubisaslauthd