Yubikey: Difference between revisions
→Logging-in: Added option for exclusive Yubikey login/sudo |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 55: | Line 55: | ||
See chapter ''Test PAM configuration'' an the end of this page. | See chapter ''Test PAM configuration'' an the end of this page. | ||
6. (optional) Only allow Yubikey for login and sudo authentication | |||
If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows. | |||
{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos"> | |||
security.pam.services = { | |||
login = { | |||
u2fAuth = true; | |||
unixAuth = false; | |||
}; | |||
sudo = { | |||
u2fAuth = true; | |||
unixAuth = false; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
=== yubico-pam === | === yubico-pam === | ||
| Line 62: | Line 79: | ||
Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | ||
You can enable challenge-response logins with the following commands: | You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix"> | ||
services.udev.packages = [ pkgs.yubikey-personalization ]; | |||
</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon: | |||
# <code>nix-shell -p yubico-pam -p yubikey-manager</code> | |||
# <code>ykman otp chalresp --touch --generate 2</code> | |||
# <code>ykpamcfg -2 -v</code> | |||
Finally, you can enable challenge-response logins with the following commands: | |||
'''1.)''' | '''1.)''' | ||
| Line 78: | Line 101: | ||
}; | }; | ||
</syntaxHighlight> | </syntaxHighlight> | ||