Yubikey: Difference between revisions
imported>Aaronduino m fix link syntax |
imported>Kaliumxyz amention to include support for all current yubico yubikey products |
||
Line 5: | Line 5: | ||
<syntaxHighlight lang=nix> | <syntaxHighlight lang=nix> | ||
services.udev.packages = [ pkgs.yubikey-personalization ]; | services.udev.packages = [ pkgs.yubikey-personalization ]; | ||
</syntaxHighlight> | |||
As the yubikey-personalization tool does [https://github.com/Yubico/yubikey-personalization/issues/57 not support all yubico products] you might want to add the libu2f-host udev rules to your configuration.nix: | |||
<syntaxHighlight lang=nix> | |||
services.udev.packages = [ pkgs.libu2f-host ]; | |||
</syntaxHighlight> | </syntaxHighlight> | ||
Revision as of 18:07, 28 April 2019
This article describes how Yubico's YubiKey works and how you can use it.
To access the yubikey as user add the following udev rules to your configuration.nix:
services.udev.packages = [ pkgs.yubikey-personalization ];
As the yubikey-personalization tool does not support all yubico products you might want to add the libu2f-host udev rules to your configuration.nix:
services.udev.packages = [ pkgs.libu2f-host ];
To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:
services.pcscd.enable = true;
In order to manage OTP keys you can install the yubioath-desktop
package in your profile.
This application will also both the udev rules as well as pcscd enabled.
Based on a guide by @drduh, the following should be sufficient for a yubikey usable for ssh:
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
Offline key generation
It is best practice to create the keys on a system without network connection to avoid leakages.
This guide explains in depth the steps needed for that.
There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed.
The image can be created with the nixos-generator tool
and depending on the image copied onto a usb stick or executed directly using kexec