Yubikey: Difference between revisions
imported>Anoadragon453 m Add link to helpful blog with info on setting up GPG keys on a Yubikey for SSH authentication |
No edit summary |
||
| (12 intermediate revisions by 9 users not shown) | |||
| Line 20: | Line 20: | ||
=== pam_u2f === | === pam_u2f === | ||
The | The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login. | ||
Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | ||
| Line 26: | Line 26: | ||
1. Connect your Yubikey | 1. Connect your Yubikey | ||
2. Create an authorization mapping file for your user. The authorization mapping file is like | 2. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys. | ||
# <code>nix-shell -p pam_u2f</code> | # <code>nix-shell -p pam_u2f</code> | ||
# <code>mkdir -p ~/.config/Yubico</code> | # <code>mkdir -p ~/.config/Yubico</code> | ||
# <code>pamu2fcfg > ~/.config/Yubico/u2f_keys</code> | # <code>pamu2fcfg > ~/.config/Yubico/u2f_keys</code> | ||
# add another yubikey (optional): <code>pamu2fcfg -n >> ~/.config/Yubico/u2f_keys</code> | |||
3. Verify that | |||
3. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style: | |||
<syntaxHighlight> | <syntaxHighlight> | ||
| Line 48: | Line 50: | ||
PAM U2F Docs: https://developers.yubico.com/pam-u2f/ | PAM U2F Docs: https://developers.yubico.com/pam-u2f/ | ||
5. Verify PAM configuration | |||
See chapter ''Test PAM configuration'' an the end of this page. | |||
=== yubico-pam === | === yubico-pam === | ||
The | The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users. | ||
Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | ||
You can enable challenge-response logins with: | You'll first need to install the necessary udev packages to your NixOS configuration:<syntaxhighlight lang="nix"> | ||
services.udev.packages = [ pkgs.yubikey-personalization ]; | |||
</syntaxhighlight>You can program the Yubikey for challenge-response on slot 2 and setup the current user for logon: | |||
# <code>nix-shell -p yubico-pam -p yubikey-manager</code> | |||
# <code>ykman otp chalresp --touch --generate 2</code> | |||
# <code>ykpamcfg -2 -v</code> | |||
Finally, you can enable challenge-response logins with the following commands: | |||
'''1.)''' | |||
run: <code>nix-shell --command 'ykinfo -s' -p yubikey-personalization</code> | |||
to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code> | |||
{{warning|1=Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}} | |||
<syntaxHighlight lang=nix> | '''2.)'''<syntaxHighlight lang=nix> | ||
security.pam.yubico = { | security.pam.yubico = { | ||
enable = true; | enable = true; | ||
debug = true; | debug = true; | ||
mode = "challenge-response"; | mode = "challenge-response"; | ||
id = [ "12345678" ]; | |||
}; | }; | ||
</syntaxHighlight> | </syntaxHighlight> | ||
| Line 86: | Line 100: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. | Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent. This can be solved by putting the line <code>disable-ccid</code> into <code>~/.gnupg/scdaemon.conf</code>. There is also a [https://nix-community.github.io/home-manager/options.xhtml#opt-programs.gpg.scdaemonSettings Home Manager Option] for that. | ||
== OTP == | == OTP == | ||
In order to manage OTP keys, you should install the <code>yubioath- | In order to manage OTP keys, you should install the <code>yubioath-flutter</code> package in your profile. | ||
This application will also require both the udev rules as well as pcscd enabled. | This application will also require both the udev rules as well as pcscd enabled. | ||
| Line 97: | Line 111: | ||
It is best practice to create the keys on a system without network connection to avoid leakages. | It is best practice to create the keys on a system without network connection to avoid leakages. | ||
This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that. | This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that. | ||
There is also a [https://github.com/Mic92/dotfiles/blob/ | There is also a [https://github.com/Mic92/dotfiles/blob/ed0ac1af816a7ebb7c5d4f040b77fa88e3ec1c79/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed. | ||
The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool] | The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool] | ||
and depending on the image copied onto a usb stick or executed directly using <code>kexec</code> | and depending on the image copied onto a usb stick or executed directly using <code>kexec</code> | ||
| Line 109: | Line 123: | ||
# Plug in the new YubiKey | # Plug in the new YubiKey | ||
# <code>gpg --card-status</code> (optional, to see if key is visibile) | # <code>gpg --card-status</code> (optional, to see if key is visibile) | ||
== Test PAM configuration == | |||
Test user and/or sudo authentication. | |||
Replace <code><username></code> by your users account name. | |||
# <code>nix-shell -p pamtester</code> | |||
# <code>pamtester login <username> authenticate</code> | |||
# <code>pamtester sudo <username> authenticate</code> | |||
If the result is <code>pamtester: successfully authenticated</code> then everything should work as expected. | |||
== Locking the screen when a Yubikey is unplugged == | |||
This can be achieved with a <code>udev</code> rule, which can be added to your <code>configuration.nix</code> | |||
<syntaxHighlight lang=nix> | |||
services.udev.extraRules = '' | |||
ACTION=="remove",\ | |||
ENV{ID_BUS}=="usb",\ | |||
ENV{ID_MODEL_ID}=="0407",\ | |||
ENV{ID_VENDOR_ID}=="1050",\ | |||
ENV{ID_VENDOR}=="Yubico",\ | |||
RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" | |||
''; | |||
</syntaxHighlight> | |||
This will lock all sessions if any Yubikey matching the rule is unplugged. | |||
If this does not work with your Yubikey take a look at the output of this command when you plug-in/unplug your Yubikey | |||
<code>udevadm monitor --udev --environment</code> and adjust the rule accordingly. This rule should work with most Yubikey 5 series models | |||
== Links == | == Links == | ||
| Line 114: | Line 160: | ||
* [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS] | * [https://rzetterberg.github.io/yubikey-gpg-nixos.html GPG-keys for SSH authentication on NixOS] | ||
* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]] | * [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]] | ||
[[Category:Cookbook]] | |||
[[Category:Security]] | |||
[[Category:Hardware]] | |||