The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.