ā ļø
Iām gonna be really irritated about this one, also this is just mostly a stub to remind me to write more about this in the future because this bug is crazy ridiculous
So yeah, apparently you can just straight up break PAM authentication by inserting pam_yubico.so in /etc/pam.d/system-login above the other flows regardless of what options you set. Imagine my surprise when I pulled up TTY, typed in my user name, hit enter, and immediately got a shell despite not even having my yubikey plugged in.