Yubikey: Difference between revisions

From NixOS Wiki
imported>Aaronduino
provide a full code sample for yubikey+ssh
imported>Aaronduino
m fix link syntax
Line 16: Line 16:
This application will also both the udev rules as well as pcscd enabled.
This application will also both the udev rules as well as pcscd enabled.


Based on [a guide](https://github.com/drduh/YubiKey-Guide) by [@drduh](https://github.com/drduh), the following should be sufficient for a yubikey usable for ssh:
Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh], the following should be sufficient for a yubikey usable for ssh:


<syntaxHighlight lang=nix>
<syntaxHighlight lang=nix>

Revision as of 23:43, 12 March 2019

This article describes how Yubico's YubiKey works and how you can use it.

To access the yubikey as user add the following udev rules to your configuration.nix:

 services.udev.packages = [ pkgs.yubikey-personalization ];

To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:

services.pcscd.enable = true;

In order to manage OTP keys you can install the yubioath-desktop package in your profile. This application will also both the udev rules as well as pcscd enabled.

Based on a guide by @drduh, the following should be sufficient for a yubikey usable for ssh:

services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];


environment.shellInit = ''
  export GPG_TTY="$(tty)"
  gpg-connect-agent /bye
  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';

programs = {
  ssh.startAgent = false;
  gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
};

Offline key generation

It is best practice to create the keys on a system without network connection to avoid leakages. This guide explains in depth the steps needed for that. There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed. The image can be created with the nixos-generator tool and depending on the image copied onto a usb stick or executed directly using kexec