Next: Dynamic DNS mcron job, Previous: Guix System Image API, Up: System Configuration [Contents][Index]
The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase – something that you know), reducing the risk of impersonation.
The example configuration detailed below showcases what minimal configuration needs to be made on your Guix System to allow the use of a Yubico security key. It is hoped the configuration can be useful for other security keys as well, with minor adjustments.
To be usable, the udev rules of the system should be extended with
key-specific rules. The following shows how to extend your udev rules
with the lib/udev/rules.d/70-u2f.rules udev rule file provided by
the libfido2 package from the (gnu packages
security-token) module and add your user to the ‘"plugdev"’ group
it uses:
(use-package-modules ... security-token ...) ... (operating-system ... (users (cons* (user-account (name "your-user") (group "users") (supplementary-groups '("wheel" "netdev" "audio" "video" "plugdev")) ;<- added system group (home-directory "/home/your-user")) %base-user-accounts)) ... (services (cons* ... (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
After re-configuring your system and re-logging in your graphical session so that the new group is in effect for your user, you can verify that your key is usable by launching:
guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
and validating that the security key can be reset via the “Reset your security key” menu. If it works, congratulations, your security key is ready to be used with applications supporting two-factor authentication (2FA).
If you use a Yubikey security key and are irritated by the spurious OTP
codes it generates when inadvertently touching the key (e.g. causing you
to become a spammer in the ‘#guix’ channel when discussing from
your favorite IRC client!), you can disable it via the following
ykman command:
guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
Alternatively, you could use the ykman-gui command provided by
the yubikey-manager-qt package and either wholly disable the
‘OTP’ application for the USB interface or, from the
‘Applications -> OTP’ view, delete the slot 1 configuration, which
comes pre-configured with the Yubico OTP application.
The KeePassXC password manager application has support for Yubikeys, but it requires installing a udev rules for your Guix System and some configuration of the Yubico OTP application on the key.
The necessary udev rules file comes from the
yubikey-personalization package, and can be installed like:
(use-package-modules ... security-token ...) ... (operating-system ... (services (cons* ... (udev-rules-service 'yubikey yubikey-personalization))))
After reconfiguring your system (and reconnecting your Yubikey), you’ll then want to configure the OTP challenge/response application of your Yubikey on its slot 2, which is what KeePassXC uses. It’s easy to do so via the Yubikey Manager graphical configuration tool, which can be invoked with:
guix shell yubikey-manager-qt -- ykman-gui
First, ensure ‘OTP’ is enabled under the ‘Interfaces’ tab, then navigate to ‘Applications -> OTP’, and click the ‘Configure’ button under the ‘Long Touch (Slot 2)’ section. Select ‘Challenge-response’, input or generate a secret key, and click the ‘Finish’ button. If you have a second Yubikey you’d like to use as a backup, you should configure it the same way, using the same secret key.
Your Yubikey should now be detected by KeePassXC. It can be added to a database by navigating to KeePassXC’s ‘Database -> Database Security...’ menu, then clicking the ‘Add additional protection...’ button, then ‘Add Challenge-Response’, selecting the security key from the drop-down menu and clicking the ‘OK’ button to complete the setup.
Next: Dynamic DNS mcron job, Previous: Guix System Image API, Up: System Configuration [Contents][Index]