diff --git a/quirks/yubico.sh b/quirks/yubico.sh
new file mode 100755
index 0000000..9187a63
--- /dev/null
+++ b/quirks/yubico.sh
@@ -0,0 +1,15 @@
+#!/bin/bash -ex
+
+#
+# Quirk to enforce login and sudo with a Yubikey
+#
+
+[[ -f "$sysroot"/etc/pam.d/sudo ]] && \
+sed -i -e 's#auth\s*include\s*system-auth#auth     required pam_yubico.so mode=challenge-response\nauth     include  system-auth#g' \
+    "$sysroot"/etc/pam.d/sudo
+
+[[ -f "$sysroot"/etc/pam.d/gdm-password ]] && \
+sed -i -e 's#auth\s*substack\s*password-auth#auth required pam_yubico.so mode=challenge-response\nauth        substack      password-auth#g' \
+    "$sysroot"/etc/pam.d/gdm-password
+
+: