Yubikey
This article describes how Yubico's YubiKey works and how you can use it.
To access the yubikey as user add the following udev rules to your configuration.nix:
services.udev.packages = [ pkgs.yubikey-personalization ];
As the yubikey-personalization tool does not support all yubico products you might want to add the libu2f-host udev rules to your configuration.nix:
services.udev.packages = [ pkgs.libu2f-host ];
To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:
services.pcscd.enable = true;
In order to manage OTP keys you can install the yubioath-desktop
package in your profile.
This application will also require both the udev rules as well as pcscd enabled.
Yubikey for SSH and GPG authentication
Based on a guide by @drduh, the following should be sufficient for a yubikey usable for ssh:
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
If you do not have a graphical user interface installed make sure to set
programs.gnupg.agent.pinentryFlavor = "curses";
otherwise the pinentry program will not be properly set up and GnuPG cannot ask for the pin of your Yubikey as a result.
Alternatively, SSH_AUTH_SOCK
can be set more generally as
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
if the right version of gpgconf
is available [1]. Note that this might not work on all systems.
Offline key generation
It is best practice to create the keys on a system without network connection to avoid leakages.
This guide explains in depth the steps needed for that.
There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed.
The image can be created with the nixos-generator tool
and depending on the image copied onto a usb stick or executed directly using kexec
Multiple Keys
If you want to use GPG with multiple keys, containing the same subkeys, you have to do this routine when swapping the key
killall gpg-agent
rm -r ~/.gnupg/private-keys-v1.d/
- Plug in the new YubiKey
gpg --card-status
(optional, to see if key is visibile)
Yubikey for Login
Add the following to your configuration.nix to enable challenge-response based Logins
security.pam.yubico = {
enable = true;
debug = true;
mode = "challenge-response";
};
You need to program the Yubikey for Challenge-Response on slot 2 and setup the current user for logon
nix-shell -p yubico-pam -p yubikey-personalization
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
ykpamcfg -2 -v
You should now be able to use your Yubikey to login and for sudo. You can also set security.pam.yubico.control
to "required" in order to have multi-factor authentication.
See also https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html
Links