Yubikey: Difference between revisions

Line 1:

This article describes how [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] ~~works and how you can use it~~.

This article describes how you can integrate [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] with NixOS.

~~To access the yubikey as user, no custom udev rules should be necessary, as udev gained native support to handle FIDO security tokens.~~

== For GPG and SSH ==

~~To use the smart card mode (CCID) of Yubikey, you will also need the PCSC~~-~~Lite daemon~~:

Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh]:

~~services.pcscd.enable = true;~~

~~</syntaxHighlight>~~

~~In order to manage OTP keys you can install the <code>yubioath-desktop</code> package in your profile.~~

~~This application will also require both the udev rules as well as pcscd enabled.~~

~~== Yubikey for SSH and GPG authentication ==~~

~~Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh], the following should be sufficient for a yubikey usable for ssh:~~

~~<syntaxHighlight lang=nix>~~

~~services.pcscd.enable = true;~~

services.udev.packages = [ pkgs.yubikey-personalization ];

# Depending on the details of your configuration, this section might be necessary or not;

# feel free to experiment

environment.shellInit = ''

export GPG_TTY="$(tty)"

Line 36:

Line 25:

</syntaxHighlight>

If you ~~do not~~ have a graphical user interface ~~installed make sure~~ to ~~set~~

If you don't have a graphical user interface, you'll have to adjust the pinentry program (it's the program launched by operating system to ask for YubiKey's PIN):

Line 42:

Line 31:

</syntaxHighlight>

~~otherwise the pinentry program will not be properly set up and GnuPG cannot ask for the pin of your Yubikey as a result.~~

== Logging-in ==

~~Alternatively, <code>SSH_AUTH_SOCK</code>~~ can ~~be set more generally as~~

You can enable challenge-response logins with:

~~export SSH_AUTH_SOCK~~=~~$(gpgconf~~ -~~-list-dirs agent-ssh-socket)~~

security.pam.yubico = {

enable = true;

debug = true;

mode = "challenge-response";

};

</syntaxHighlight>

if the ~~right version of <code>gpgconf</code> is available <ref>https://github.com/drduh/YubiKey-Guide#replace~~-~~agents</ref>. Note that this might not work~~ on ~~all systems.~~

You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:

== ~~Offline key~~ generation ==

# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>

# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>

# <code>ykpamcfg -2 -v</code>

Having that, you should be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.

See also: https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html.

== Smartcard mode ==

To use the smart card mode (CCID) of Yubikey, you will need the PCSC-Lite daemon:

services.pcscd.enable = true;

</syntaxHighlight>

Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.

== OTP ==

In order to manage OTP keys, you should install the <code>yubioath-desktop</code> package in your profile.

This application will also require both the udev rules as well as pcscd enabled.

== Key generation ==

It is best practice to create the keys on a system without network connection to avoid leakages.

Line 60:

Line 76:

and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>

== Multiple ~~Keys~~ ==

== Multiple keys ==

If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key

Line 68:

Line 84:

# Plug in the new YubiKey

# <code>gpg --card-status</code> (optional, to see if key is visibile)

~~== Yubikey for Login ==~~

~~Add the following to your configuration.nix to enable challenge-response based Logins~~

~~<syntaxHighlight lang=nix>~~

~~security.pam.yubico = {~~

~~enable = true;~~

~~debug = true;~~

~~mode = "challenge-response";~~

};

~~</syntaxHighlight>~~

~~You need to program the Yubikey for Challenge-Response on slot 2 and setup the current user for logon~~

~~# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>~~

~~# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>~~

~~# <code>ykpamcfg -2 -v</code>~~

~~You should now be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.~~

~~See also https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html~~

== Links ==

* [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]

~~== References ==~~

@@ Line 1: / Line 1: @@
-This article describes how [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] works and how you can use it.
+This article describes how you can integrate [https://yubico.com Yubico]'s [[Wikipedia:YubiKey|YubiKey]] with NixOS.
-To access the yubikey as user, no custom udev rules should be necessary, as udev gained native support to handle FIDO security tokens.
+== For GPG and SSH  ==
-To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:
+Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh]:
 <syntaxHighlight lang=nix>
-services.pcscd.enable = true;
-</syntaxHighlight>
-In order to manage OTP keys you can install the <code>yubioath-desktop</code> package in your profile.
-This application will also require both the udev rules as well as pcscd enabled.
-== Yubikey for SSH and GPG authentication  ==
-Based on [https://github.com/drduh/YubiKey-Guide a guide] by [https://github.com/drduh @drduh], the following should be sufficient for a yubikey usable for ssh:
-<syntaxHighlight lang=nix>
-services.pcscd.enable = true;
 services.udev.packages = [ pkgs.yubikey-personalization ];
+# Depending on the details of your configuration, this section might be necessary or not;
+# feel free to experiment
 environment.shellInit = ''
    export GPG_TTY="$(tty)"
@@ Line 36: / Line 25: @@
 </syntaxHighlight>
-If you do not have a graphical user interface installed make sure to set
+If you don't have a graphical user interface, you'll have to adjust the pinentry program (it's the program launched by operating system to ask for YubiKey's PIN):
 <syntaxHighlight lang=nix>
@@ Line 42: / Line 31: @@
 </syntaxHighlight>
-otherwise the pinentry program will not be properly set up and GnuPG cannot ask for the pin of your Yubikey as a result.
+== Logging-in ==
-Alternatively, <code>SSH_AUTH_SOCK</code> can be set more generally as
+You can enable challenge-response logins with:
-<syntaxHighlight lang=bash>
+<syntaxHighlight lang=nix>
-export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+security.pam.yubico = {
+   enable = true;
+   debug = true;
+   mode = "challenge-response";
+ };
 </syntaxHighlight>
-if the right version of <code>gpgconf</code> is available <ref>https://github.com/drduh/YubiKey-Guide#replace-agents</ref>. Note that this might not work on all systems.
+You'll also need to program the Yubikey for challenge-response on slot 2 and setup the current user for logon:
-== Offline key generation ==
+# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>
+# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>
+# <code>ykpamcfg -2 -v</code>
+Having that, you should be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.
+See also: https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html.
+== Smartcard mode ==
+To use the smart card mode (CCID) of Yubikey, you will need the PCSC-Lite daemon:
+<syntaxHighlight lang=nix>
+services.pcscd.enable = true;
+</syntaxHighlight>
+Please note that the PCSC-Lite daemon [https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html sometimes conflicts] with gpg-agent.
+== OTP ==
+In order to manage OTP keys, you should install the <code>yubioath-desktop</code> package in your profile.
+This application will also require both the udev rules as well as pcscd enabled.
+== Key generation ==
 It is best practice to create the keys on a system without network connection to avoid leakages.
@@ Line 60: / Line 76: @@
 and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>
-== Multiple Keys ==
+== Multiple keys ==
 If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key
@@ Line 68: / Line 84: @@
 # Plug in the new YubiKey
 # <code>gpg --card-status</code> (optional, to see if key is visibile)
-== Yubikey for Login ==
-Add the following to your configuration.nix to enable challenge-response based Logins
-<syntaxHighlight lang=nix>
-security.pam.yubico = {
-   enable = true;
-   debug = true;
-   mode = "challenge-response";
- };
-</syntaxHighlight>
-You need to program the Yubikey for Challenge-Response on slot 2 and setup the current user for logon
-# <code>nix-shell -p yubico-pam -p yubikey-personalization</code>
-# <code>ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible</code>
-# <code>ykpamcfg -2 -v</code>
-You should now be able to use your Yubikey to login and for sudo. You can also set <code>security.pam.yubico.control</code> to "required" in order to have multi-factor authentication.
-See also https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html
 == Links ==
 * [[Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS]]
-== References ==