Yubikey: Difference between revisions

(22 intermediate revisions by 17 users not shown)

Line 1:

This article describes how you can integrate [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] with NixOS.

== ~~For~~ GPG and SSH ==

== GPG and SSH ==

Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh]:

Line 8:

services.udev.packages = [ pkgs.yubikey-personalization ];

~~# Depending on the details of your configuration, this section might be necessary or not;~~

programs.gnupg.agent = {

~~# feel free to experiment~~

enable = true;

~~environment~~.~~shellInit~~ = ''

enableSSHSupport = true;

~~export GPG_TTY~~=~~"$(tty)"~~

};

~~gpg-connect-agent~~ /~~bye~~

</syntaxHighlight>

~~export SSH_AUTH_SOCK~~=~~"/run/user/$UID/gnupg/S.gpg~~-~~agent.ssh"~~

~~'';~~

== Logging-in ==

~~programs~~ = {

To use your yubikey as a user login or for sudo access you'll have to install a PAM (Pluggable Authentication Module) for your yubikey.

ssh.~~startAgent = false;~~

~~gnupg~~.~~agent = {~~

=== pam_u2f ===

~~enable = true;~~

~~enableSSHSupport = true;~~

The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.

};

Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

1. Connect your Yubikey

2. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.

# <code>nix-shell -p pam_u2f</code>

# <code>mkdir -p ~/.config/Yubico</code>

# <code>pamu2fcfg > ~/.config/Yubico/u2f_keys</code>

# add another yubikey (optional): <code>pamu2fcfg -n >> ~/.config/Yubico/u2f_keys</code>

3. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:

<username>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:...

</syntaxHighlight>

~~If you don't have a graphical user interface, you'll have to adjust~~ the ~~pinentry program (it's the program launched by operating system to ask~~ for ~~YubiKey's PIN):~~

4. Enable the u2f PAM module for login and sudo requests

~~programs~~.~~gnupg~~.~~agent~~.~~pinentryFlavor~~ = ~~"curses"~~;

security.pam.services = {

login.u2fAuth = true;

sudo.u2fAuth = true;

};

</syntaxHighlight>

== ~~Logging~~-in ==

PAM U2F Docs: https://developers.yubico.com/pam-u2f/

5. Verify PAM configuration

See chapter ''Test PAM configuration'' an the end of this page.

=== yubico-pam ===

The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.

Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">

services.udev.packages = [ pkgs.yubikey-personalization ];

</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:

# <code>nix-shell -p yubico-pam -p yubikey-manager</code>

# <code>ykman otp chalresp --touch --generate 2</code>

# <code>ykpamcfg -2 -v</code>

Finally, you can enable challenge-response logins with the following commands:

'''1.)'''

run: <code>nix-shell --command 'ykinfo -s' -p yubikey-personalization</code>

to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>

~~You can enable challenge-response logins with:~~

{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}

'''2.)'''<syntaxHighlight lang=nix>

security.pam.yubico = {

enable = true;

debug = true;

mode = "challenge-response";

};

id = [ "12345678" ];

};

</syntaxHighlight>

~~You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:~~

# <code>~~nix~~-~~shell~~ -~~p yubico-pam -p yubikey-personalization</code>~~

To automatically login, without having to touch the key, omit the <code>--touch</code> option.

~~# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>~~

~~# <code>ykpamcfg -2 -v~~</code>

Having that, you should be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.

Line 61:

Line 100:

</syntaxHighlight>

Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.

Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. This can be solved by putting the line <code>disable-ccid</code> into <code>~/.gnupg/scdaemon.conf</code>. There is also a [https://nix-community.github.io/home-manager/options.xhtml#opt-programs.gpg.scdaemonSettings Home Manager Option] for that.

== OTP ==

In order to manage OTP keys, you should install the <code>yubioath-~~desktop~~</code> package in your profile.

In order to manage OTP keys, you should install the <code>yubioath-flutter</code> package in your profile.

This application will also require both the udev rules as well as pcscd enabled.

Line 72:

Line 111:

It is best practice to create the keys on a system without network connection to avoid leakages.

This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that.

There is also a [https://github.com/Mic92/dotfiles/blob/~~a41e9c1722f7e81af21741ea75ced9ceff46230e~~/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.

There is also a [https://github.com/Mic92/dotfiles/blob/ed0ac1af816a7ebb7c5d4f040b77fa88e3ec1c79/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.

The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool]

and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>

Line 84:

Line 123:

# Plug in the new YubiKey

# <code>gpg --card-status</code> (optional, to see if key is visibile)

== Test PAM configuration ==

Test user and/or sudo authentication.

Replace <code><username></code> by your users account name.

# <code>nix-shell -p pamtester</code>

# <code>pamtester login <username> authenticate</code>

# <code>pamtester sudo <username> authenticate</code>

If the result is <code>pamtester: successfully authenticated</code> then everything should work as expected.

== Locking the screen when a Yubikey is unplugged ==

This can be achieved with a <code>udev</code> rule, which can be added to your <code>configuration.nix</code>

services.udev.extraRules = ''

ACTION=="remove",\

ENV{ID_BUS}=="usb",\

ENV{ID_MODEL_ID}=="0407",\

ENV{ID_VENDOR_ID}=="1050",\

ENV{ID_VENDOR}=="Yubico",\

RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"

'';

</syntaxHighlight>

This will lock all sessions if any Yubikey matching the rule is unplugged.

If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey

<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models

== Links ==

* [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS]

* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]

[[Category:Cookbook]]

[[Category:Security]]

[[Category:Hardware]]

@@ Line 1: / Line 1: @@
 This article describes how you can integrate [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] with NixOS.
-== For GPG and SSH  ==
+== GPG and SSH  ==
 Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh]:
@@ Line 8: / Line 8: @@
 services.udev.packages = [ pkgs.yubikey-personalization ];
-# Depending on the details of your configuration, this section might be necessary or not;
+programs.gnupg.agent = {
-# feel free to experiment
+   enable = true;
-environment.shellInit = ''
+   enableSSHSupport = true;
-   export GPG_TTY="$(tty)"
+};
-   gpg-connect-agent /bye
+</syntaxHighlight>
-  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
-'';
+== Logging-in ==
-programs = {
+To use your yubikey as a user login or for sudo access you'll have to install a PAM (Pluggable Authentication Module) for your yubikey.
-  ssh.startAgent = false;
-  gnupg.agent = {
+=== pam_u2f ===
-    enable = true;
-    enableSSHSupport = true;
+The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.
-  };
-};
+Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
+. Connect your Yubikey
+. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.
+# <code>nix-shell -p pam_u2f</code>
+# <code>mkdir -p ~/.config/Yubico</code>
+# <code>pamu2fcfg > ~/.config/Yubico/u2f_keys</code>
+# add another yubikey (optional): <code>pamu2fcfg -n >> ~/.config/Yubico/u2f_keys</code>
+. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:
+<syntaxHighlight>
+<username>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:...
 </syntaxHighlight>
-If you don't have a graphical user interface, you'll have to adjust the pinentry program (it's the program launched by operating system to ask for YubiKey's PIN):
+. Enable the u2f PAM module for login and sudo requests
 <syntaxHighlight lang=nix>
-programs.gnupg.agent.pinentryFlavor = "curses";
+security.pam.services = {
+  login.u2fAuth = true;
+  sudo.u2fAuth = true;
+};
 </syntaxHighlight>
-== Logging-in ==
+PAM U2F Docs: https://developers.yubico.com/pam-u2f/
+. Verify PAM configuration
+See chapter ''Test PAM configuration'' an the end of this page.
+=== yubico-pam ===
+The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.
+Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
+You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">
+services.udev.packages = [ pkgs.yubikey-personalization ];
+</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
+# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
+# <code>ykman otp chalresp --touch --generate 2</code>
+# <code>ykpamcfg -2 -v</code>
+Finally, you can enable challenge-response logins with the following commands:
+'''1.)'''
+run: <code>nix-shell --command 'ykinfo -s' -p yubikey-personalization</code>
+to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>
-You can enable challenge-response logins with:
+{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
-<syntaxHighlight lang=nix>
+'''2.)'''<syntaxHighlight lang=nix>
 security.pam.yubico = {
     enable = true;
     debug = true;
     mode = "challenge-response";
- };
+   id = [ "12345678" ];
+};
 </syntaxHighlight>
-You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
-# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>
+To automatically login, without having to touch the key, omit the <code>--touch</code> option.
-# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>
-# <code>ykpamcfg -2 -v</code>
 Having that, you should be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.
@@ Line 61: / Line 100: @@
 </syntaxHighlight>
-Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.
+Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. This can be solved by putting the line <code>disable-ccid</code> into <code>~/.gnupg/scdaemon.conf</code>. There is also a [https://nix-community.github.io/home-manager/options.xhtml#opt-programs.gpg.scdaemonSettings Home Manager Option] for that.
 == OTP ==
-In order to manage OTP keys, you should install the <code>yubioath-desktop</code> package in your profile.
+In order to manage OTP keys, you should install the <code>yubioath-flutter</code> package in your profile.
 This application will also require both the udev rules as well as pcscd enabled.
@@ Line 72: / Line 111: @@
 It is best practice to create the keys on a system without network connection to avoid leakages.
 This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that.
-There is also a [https://github.com/Mic92/dotfiles/blob/a41e9c1722f7e81af21741ea75ced9ceff46230e/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.
+There is also a [https://github.com/Mic92/dotfiles/blob/ed0ac1af816a7ebb7c5d4f040b77fa88e3ec1c79/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.
 The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool]
 and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>
@@ Line 84: / Line 123: @@
 # Plug in the new YubiKey
 # <code>gpg --card-status</code> (optional, to see if key is visibile)
+== Test PAM configuration ==
+Test user and/or sudo authentication.
+Replace <code><username></code> by your users account name.
+# <code>nix-shell -p pamtester</code>
+# <code>pamtester login <username> authenticate</code>
+# <code>pamtester sudo <username> authenticate</code>
+If the result is <code>pamtester: successfully authenticated</code> then everything should work as expected.
+== Locking the screen when a Yubikey is unplugged ==
+This can be achieved with a <code>udev</code> rule, which can be added to your <code>configuration.nix</code>
+<syntaxHighlight lang=nix>
+services.udev.extraRules = ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+</syntaxHighlight>
+This will lock all sessions if any Yubikey matching the rule is unplugged.
+If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey
+<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models
 == Links ==
+* [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS]
 * [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]
+[[Category:Cookbook]]
+[[Category:Security]]
+[[Category:Hardware]]