Yubikey: Difference between revisions

(10 intermediate revisions by 7 users not shown)

Line 20:

=== pam_u2f ===

The `pam_u2f` module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.

The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.

Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

Line 26:

1. Connect your Yubikey

2. Create an authorization mapping file for your user. The authorization mapping file is like `~/.ssh/known_hosts` but for Yubikeys.

2. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.

# <code>nix-shell -p pam_u2f</code>

Line 34:

3. Verify that `~/.config/Yubico/u2f_keys` contains one line in the following style:

3. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:

Line 55:

See chapter ''Test PAM configuration'' an the end of this page.

6. (optional) Only allow Yubikey for login and sudo authentication

If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows.

{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos">

security.pam.services = {

login = {

u2fAuth = true;

unixAuth = false;

};

sudo = {

u2fAuth = true;

unixAuth = false;

};

</syntaxhighlight>

=== yubico-pam ===

The `yubico-pam` module uses a OTP (one time password) challenge response to authenticate users.

The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.

Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

You can enable challenge-response logins with the following commands:

You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">

services.udev.packages = [ pkgs.yubikey-personalization ];

</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:

# <code>nix-shell -p yubico-pam -p yubikey-manager</code>

# <code>ykman otp chalresp --touch --generate 2</code>

# <code>ykpamcfg -2 -v</code>

Finally, you can enable challenge-response logins with the following commands:

'''1.)'''

Line 68:

Line 91:

to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>

~~'''WARNING, ignoring~~ step 1 is considered insecure, any user could just plugin a yubikey and gain root access!~~'''~~

{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}

'''2.)'''<syntaxHighlight lang=nix>

Line 78:

Line 101:

};

</syntaxHighlight>

~~You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:~~

~~# <code>nix-shell -p yubico-pam -p yubikey-manager</code>~~

~~# <code>ykman otp chalresp --touch --generate 2</code>~~

~~# <code>ykpamcfg -2 -v</code>~~

Line 100:

Line 117:

</syntaxHighlight>

Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.

Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. This can be solved by putting the line <code>disable-ccid</code> into <code>~/.gnupg/scdaemon.conf</code>. There is also a [https://nix-community.github.io/home-manager/options.xhtml#opt-programs.gpg.scdaemonSettings Home Manager Option] for that.

== OTP ==

In order to manage OTP keys, you should install the <code>yubioath-~~desktop~~</code> package in your profile.

In order to manage OTP keys, you should install the <code>yubioath-flutter</code> package in your profile.

This application will also require both the udev rules as well as pcscd enabled.

Line 111:

Line 128:

It is best practice to create the keys on a system without network connection to avoid leakages.

This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that.

There is also a [https://github.com/Mic92/dotfiles/blob/~~a41e9c1722f7e81af21741ea75ced9ceff46230e~~/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.

There is also a [https://github.com/Mic92/dotfiles/blob/ed0ac1af816a7ebb7c5d4f040b77fa88e3ec1c79/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.

The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool]

and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>

Line 136:

Line 153:

If the result is <code>pamtester: successfully authenticated</code> then everything should work as expected.

== Locking the screen when a Yubikey is unplugged ==

This can be achieved with a <code>udev</code> rule, which can be added to your <code>configuration.nix</code>

services.udev.extraRules = ''

ACTION=="remove",\

ENV{ID_BUS}=="usb",\

ENV{ID_MODEL_ID}=="0407",\

ENV{ID_VENDOR_ID}=="1050",\

ENV{ID_VENDOR}=="Yubico",\

RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"

'';

</syntaxHighlight>

This will lock all sessions if any Yubikey matching the rule is unplugged.

If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey

<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models

== Links ==

Line 141:

Line 177:

* [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS]

* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]

[[Category:Cookbook]]

[[Category:Security]]

[[Category:Hardware]]

@@ Line 20: / Line 20: @@
 === pam_u2f ===
-The `pam_u2f` module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.
+The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.
 Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
@@ Line 26: / Line 26: @@
 . Connect your Yubikey
-. Create an authorization mapping file for your user. The authorization mapping file is like `~/.ssh/known_hosts` but for Yubikeys.
+. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.
 # <code>nix-shell -p pam_u2f</code>
@@ Line 34: / Line 34: @@
-. Verify that `~/.config/Yubico/u2f_keys` contains one line in the following style:
+. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:
 <syntaxHighlight>
@@ Line 55: / Line 55: @@
 See chapter ''Test PAM configuration'' an the end of this page.
+. (optional) Only allow Yubikey for login and sudo authentication
+If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows.
+{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos">
+  security.pam.services = {
+    login = {
+      u2fAuth = true;
+      unixAuth = false;
+    };
+    sudo = {
+      u2fAuth = true;
+      unixAuth = false;
+    };
+  };
+</syntaxhighlight>
 === yubico-pam ===
-The `yubico-pam` module uses a OTP (one time password) challenge response to authenticate users.
+The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.
 Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
-You can enable challenge-response logins with the following commands:
+You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">
+services.udev.packages = [ pkgs.yubikey-personalization ];
+</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
+# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
+# <code>ykman otp chalresp --touch --generate 2</code>
+# <code>ykpamcfg -2 -v</code>
+Finally, you can enable challenge-response logins with the following commands:
 '''1.)'''
@@ Line 68: / Line 91: @@
 to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>
-'''WARNING, ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!'''
+{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
 '''2.)'''<syntaxHighlight lang=nix>
@@ Line 78: / Line 101: @@
 };
 </syntaxHighlight>
-You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
-# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
-# <code>ykman otp chalresp --touch --generate 2</code>
-# <code>ykpamcfg -2 -v</code>
@@ Line 100: / Line 117: @@
 </syntaxHighlight>
-Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.
+Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. This can be solved by putting the line <code>disable-ccid</code> into <code>~/.gnupg/scdaemon.conf</code>. There is also a [https://nix-community.github.io/home-manager/options.xhtml#opt-programs.gpg.scdaemonSettings Home Manager Option] for that.
 == OTP ==
-In order to manage OTP keys, you should install the <code>yubioath-desktop</code> package in your profile.
+In order to manage OTP keys, you should install the <code>yubioath-flutter</code> package in your profile.
 This application will also require both the udev rules as well as pcscd enabled.
@@ Line 111: / Line 128: @@
 It is best practice to create the keys on a system without network connection to avoid leakages.
 This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that.
-There is also a [https://github.com/Mic92/dotfiles/blob/a41e9c1722f7e81af21741ea75ced9ceff46230e/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.
+There is also a [https://github.com/Mic92/dotfiles/blob/ed0ac1af816a7ebb7c5d4f040b77fa88e3ec1c79/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.
 The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool]
 and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>
@@ Line 136: / Line 153: @@
 If the result is <code>pamtester: successfully authenticated</code> then everything should work as expected.
+== Locking the screen when a Yubikey is unplugged ==
+This can be achieved with a <code>udev</code> rule, which can be added to your <code>configuration.nix</code>
+<syntaxHighlight lang=nix>
+services.udev.extraRules = ''
+      ACTION=="remove",\
+       ENV{ID_BUS}=="usb",\
+       ENV{ID_MODEL_ID}=="0407",\
+       ENV{ID_VENDOR_ID}=="1050",\
+       ENV{ID_VENDOR}=="Yubico",\
+       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+</syntaxHighlight>
+This will lock all sessions if any Yubikey matching the rule is unplugged.
+If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey
+<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models
 == Links ==
@@ Line 141: / Line 177: @@
 * [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS]
 * [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]
+[[Category:Cookbook]]
+[[Category:Security]]
+[[Category:Hardware]]