File: [u2f/linux/desktop-login.rst] https://docs.nitrokey.com/u2f/linux/desktop-login.html
The nitrokey documentation states that nouserok ensures that one can still use a password to login. However, the documentation for nouserok states:
Set to enable authentication attempts to succeed even if the user trying to authenticate is not found inside authfile or if authfile is missing/malformed.
Therefore by using nouserok in combination with sufficient one can login without any authentication for users that are not in the authfile. Including root. In this case just having sufficient is enough to still be able to authenticate with a password only.
To test his just switch to a different tty with CTRL + ALT + F2, type "root" as the user and you'll have a root shell without providing any authentication.
File: [u2f/linux/desktop-login.rst] https://docs.nitrokey.com/u2f/linux/desktop-login.html
The nitrokey documentation states that
nouserokensures that one can still use a password to login. However, the documentation fornouserokstates:Therefore by using
nouserokin combination withsufficientone can login without any authentication for users that are not in the authfile. Including root. In this case just havingsufficientis enough to still be able to authenticate with a password only.To test his just switch to a different tty with CTRL + ALT + F2, type "root" as the user and you'll have a root shell without providing any authentication.