Yubikey: Difference between revisions

(3 intermediate revisions by 3 users not shown)

Line 55:

See chapter ''Test PAM configuration'' an the end of this page.

6. (optional) Only allow Yubikey for login and sudo authentication

If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows.

{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos">

security.pam.services = {

login = {

u2fAuth = true;

unixAuth = false;

};

sudo = {

u2fAuth = true;

unixAuth = false;

};

</syntaxhighlight>

=== yubico-pam ===

Line 62:

Line 79:

Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

You can enable challenge-response logins with the following commands:

You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">

services.udev.packages = [ pkgs.yubikey-personalization ];

</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:

# <code>nix-shell -p yubico-pam -p yubikey-manager</code>

# <code>ykman otp chalresp --touch --generate 2</code>

# <code>ykpamcfg -2 -v</code>

Finally, you can enable challenge-response logins with the following commands:

'''1.)'''

Line 68:

Line 91:

to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>

{{warning|1 Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}

{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}

'''2.)'''<syntaxHighlight lang=nix>

Line 78:

Line 101:

};

</syntaxHighlight>

~~You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:~~

~~# <code>nix-shell -p yubico-pam -p yubikey-manager</code>~~

~~# <code>ykman otp chalresp --touch --generate 2</code>~~

~~# <code>ykpamcfg -2 -v</code>~~

Line 154:

Line 171:

If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey

<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models

<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models. The Yubikey Security series <code>ID_MODEL_ID</code> is <code>0402</code>.

== Links ==

@@ Line 55: / Line 55: @@
 See chapter ''Test PAM configuration'' an the end of this page.
+. (optional) Only allow Yubikey for login and sudo authentication
+If you don't want to be able to use your password to login to your user account or access sudo, you can modify the pam service as follows.
+{{Warning|Be careful, losing your Yubikey will make it impossible to sign in with this configuration.}}<syntaxhighlight lang="nixos">
+  security.pam.services = {
+    login = {
+      u2fAuth = true;
+      unixAuth = false;
+    };
+    sudo = {
+      u2fAuth = true;
+      unixAuth = false;
+    };
+  };
+</syntaxhighlight>
 === yubico-pam ===
@@ Line 62: / Line 79: @@
 Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
-You can enable challenge-response logins with the following commands:
+You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix">
+services.udev.packages = [ pkgs.yubikey-personalization ];
+</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
+# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
+# <code>ykman otp chalresp --touch --generate 2</code>
+# <code>ykpamcfg -2 -v</code>
+Finally, you can enable challenge-response logins with the following commands:
 '''1.)'''
@@ Line 68: / Line 91: @@
 to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>
-{{warning|1 Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
+{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
 '''2.)'''<syntaxHighlight lang=nix>
@@ Line 78: / Line 101: @@
 };
 </syntaxHighlight>
-You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
-# <code>nix-shell -p yubico-pam -p yubikey-manager</code>
-# <code>ykman otp chalresp --touch --generate 2</code>
-# <code>ykpamcfg -2 -v</code>
@@ Line 154: / Line 171: @@
 If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey
-<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models
+<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models. The Yubikey Security series <code>ID_MODEL_ID</code> is <code>0402</code>.
 == Links ==