NixOS Wiki

Yubikey: Difference between revisions

← Older edit
VisualWikitext
m Improved formatting
Mmkaram (talk | contribs)
13 edits
Logging-in: Added option for exclusive Yubikey login/sudo
 
(2 intermediate revisions by 2 users not shown)
Line 55: Line 55:


See chapter ''Test PAM configuration'' an the end of this page.
See chapter ''Test PAM configuration'' an the end of this page.
6. (optional) Only allow Yubikey for login and sudo authentication
If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows.
{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos">
  security.pam.services = {
    login = {
      u2fAuth = true;
      unixAuth = false;
    };
    sudo = {
      u2fAuth = true;
      unixAuth = false;
    };
  };
</syntaxhighlight>


=== yubico-pam ===
=== yubico-pam ===
Line 62: Line 79:
Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/


You can enable challenge-response logins with the following commands:
You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">
services.udev.packages = [ pkgs.yubikey-personalization ];
</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
# <code>ykman otp chalresp --touch --generate 2</code>
# <code>ykpamcfg -2 -v</code>
Finally, you can enable challenge-response logins with the following commands:


'''1.)'''
'''1.)'''
Line 68: Line 91:
to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>
to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>


{{warning|1 Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}


'''2.)'''<syntaxHighlight lang=nix>
'''2.)'''<syntaxHighlight lang=nix>
Line 78: Line 101:
};
};
</syntaxHighlight>
</syntaxHighlight>
You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
# <code>ykman otp chalresp --touch --generate 2</code>
# <code>ykpamcfg -2 -v</code>




Retrieved from "https://wiki.nixos.org/wiki/Yubikey"