Should /etc/yubikeyid be 0600 or is 0644 okay? Is there a reason to protect the
https://admin.fedoraproject.org/accounts/yubikey/dump url with the systems username/id?

It looks like /etc/yubikeyid only contains "public" info but that seems to contradict how heavily the URL is protected. The present script writes it to the filesystem 0644 but I can change that if needed.

puppet/modules/fas/files/fas-yubikey-sync.py

In theory 0644 is ok. I'm not sure if we even could lock it down more, I'm not actually sure if pam as root reads that file or of when the user logs in their user somehow reads it. Those id's are considered public and are actually converted from UID which can be found on fedorapeople anyway or via the .ext plugin in fas.

Excellent.

I put the script into a fas::clients::yubikey class. If there's a yubikey clients that includes the pam configuration and such it would probably be good to link them together or reorganize.

Closing, fixed.