Yubikey: Difference between revisions

From NixOS Wiki
imported>Flokli
remove udev rules for u2f stuff, handled by udev natively.
imported>Patryk27
No edit summary
Line 1: Line 1:
This article describes how [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] works and how you can use it.
This article describes how you can integrate [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] with NixOS.


To access the yubikey as user, no custom udev rules should be necessary, as udev gained native support to handle FIDO security tokens.
== For GPG and SSH  ==


To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:
Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh]:


<syntaxHighlight lang=nix>
<syntaxHighlight lang=nix>
services.pcscd.enable = true;
</syntaxHighlight>
In order to manage OTP keys you can install the <code>yubioath-desktop</code> package in your profile.
This application will also require both the udev rules as well as pcscd enabled.
== Yubikey for SSH and GPG authentication  ==
Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh], the following should be sufficient for a yubikey usable for ssh:
<syntaxHighlight lang=nix>
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
services.udev.packages = [ pkgs.yubikey-personalization ];


 
# Depending on the details of your configuration, this section might be necessary or not;
# feel free to experiment
environment.shellInit = ''
environment.shellInit = ''
   export GPG_TTY="$(tty)"
   export GPG_TTY="$(tty)"
Line 36: Line 25:
</syntaxHighlight>
</syntaxHighlight>


If you do not have a graphical user interface installed make sure to set
If you don't have a graphical user interface, you'll have to adjust the pinentry program (it's the program launched by operating system to ask for YubiKey's PIN):


<syntaxHighlight lang=nix>
<syntaxHighlight lang=nix>
Line 42: Line 31:
</syntaxHighlight>
</syntaxHighlight>


otherwise the pinentry program will not be properly set up and GnuPG cannot ask for the pin of your Yubikey as a result.
== Logging-in ==


Alternatively, <code>SSH_AUTH_SOCK</code> can be set more generally as
You can enable challenge-response logins with:


<syntaxHighlight lang=bash>
<syntaxHighlight lang=nix>
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
security.pam.yubico = {                                                                                                                                                                                                                                               
  enable = true;                                                                                                     
  debug = true;                                                                                                     
  mode = "challenge-response";                                                                                       
};
</syntaxHighlight>
</syntaxHighlight>


if the right version of <code>gpgconf</code> is available <ref>https://github.com/drduh/YubiKey-Guide#replace-agents</ref>. Note that this might not work on all systems.
You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:


== Offline key generation ==
# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>
# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>
# <code>ykpamcfg -2 -v</code>
 
Having that, you should be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.
 
See also: https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html.
 
== Smartcard mode ==
 
To use the smart card mode (CCID) of Yubikey, you will need the PCSC-Lite daemon:
 
<syntaxHighlight lang=nix>
services.pcscd.enable = true;
</syntaxHighlight>
 
Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.
 
== OTP ==
 
In order to manage OTP keys, you should install the <code>yubioath-desktop</code> package in your profile.
This application will also require both the udev rules as well as pcscd enabled.
 
== Key generation ==


It is best practice to create the keys on a system without network connection to avoid leakages.
It is best practice to create the keys on a system without network connection to avoid leakages.
Line 60: Line 76:
and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>
and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>


== Multiple Keys ==
== Multiple keys ==


If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key
If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key
Line 68: Line 84:
# Plug in the new YubiKey
# Plug in the new YubiKey
# <code>gpg --card-status</code> (optional, to see if key is visibile)
# <code>gpg --card-status</code> (optional, to see if key is visibile)
== Yubikey for Login ==
Add the following to your configuration.nix to enable challenge-response based Logins
<syntaxHighlight lang=nix>
security.pam.yubico = {                                                                                                                                                                                                                                               
  enable = true;                                                                                                     
  debug = true;                                                                                                     
  mode = "challenge-response";                                                                                       
};
</syntaxHighlight>
You need to program the Yubikey for Challenge-Response on slot 2 and setup the current user for logon
# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>
# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>
# <code>ykpamcfg -2 -v</code>
You should now be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.
See also https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html


== Links ==
== Links ==


* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]
* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]
== References ==

Revision as of 11:08, 23 January 2021

This article describes how you can integrate Yubico's YubiKey with NixOS.

For GPG and SSH

Based on a guide by @drduh:

services.udev.packages = [ pkgs.yubikey-personalization ];

# Depending on the details of your configuration, this section might be necessary or not;
# feel free to experiment
environment.shellInit = ''
  export GPG_TTY="$(tty)"
  gpg-connect-agent /bye
  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';

programs = {
  ssh.startAgent = false;
  gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
};

If you don't have a graphical user interface, you'll have to adjust the pinentry program (it's the program launched by operating system to ask for YubiKey's PIN):

programs.gnupg.agent.pinentryFlavor = "curses";

Logging-in

You can enable challenge-response logins with:

security.pam.yubico = {                                                                                                                                                                                                                                                
   enable = true;                                                                                                      
   debug = true;                                                                                                       
   mode = "challenge-response";                                                                                        
 };

You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:

  1. nix-shell -p yubico-pam -p yubikey-personalization
  2. ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
  3. ykpamcfg -2 -v

Having that, you should be able to use your Yubikey to login and for sudo. You can also set security.pam.yubico.control to "required" in order to have multi-factor authentication.

See also: https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html.

Smartcard mode

To use the smart card mode (CCID) of Yubikey, you will need the PCSC-Lite daemon:

services.pcscd.enable = true;

Please note that the PCSC-Lite daemon sometimes conflicts with gpg-agent.

OTP

In order to manage OTP keys, you should install the yubioath-desktop package in your profile. This application will also require both the udev rules as well as pcscd enabled.

Key generation

It is best practice to create the keys on a system without network connection to avoid leakages. This guide explains in depth the steps needed for that. There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed. The image can be created with the nixos-generator tool and depending on the image copied onto a usb stick or executed directly using kexec

Multiple keys

If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key

  1. killall gpg-agent
  2. rm -r ~/.gnupg/private-keys-v1.d/
  3. Plug in the new YubiKey
  4. gpg --card-status (optional, to see if key is visibile)

Links