From 024e12470ffbd82c68c80475d8d544b7a2dcefbc Mon Sep 17 00:00:00 2001 From: null pointer exception <57326449+deathgrippin@users.noreply.github.com> Date: Fri, 5 Jun 2020 18:46:13 +0000 Subject: [PATCH] Clean up wording and typos --- user/security-in-qubes/yubi-key.md | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/user/security-in-qubes/yubi-key.md b/user/security-in-qubes/yubi-key.md index 147b07f8..a2a23b69 100644 --- a/user/security-in-qubes/yubi-key.md +++ b/user/security-in-qubes/yubi-key.md @@ -10,15 +10,15 @@ redirect_from: Using YubiKey to Qubes authentication ===================================== -You can use YubiKey to enhance Qubes user authentication, for example to mitigate risk of snooping the password. -This can also slightly improve security when you have [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices). +You can use a YubiKey to enhance Qubes user authentication, for example to mitigate risk of someone snooping the password. +This can also slightly improve security when you have a [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices). -There (at least) two possible configurations: using OTP mode and using challenge-response mode. +There are (at least) two possible configurations: using OTP mode and using challenge-response mode. OTP mode -------- -This can be configured using [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package. +This can be configured using the [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package. This package does not support sharing the same key slot with other applications (it will deny further authentications if you try). Contrary to instruction there, currently there is no binary package in the Qubes repository and you need to compile it yourself. @@ -27,7 +27,7 @@ This might change in the future. Challenge-response mode ---------------------- -In this mode, your YubiKey will generate a response based on the secret key, and random challenge (instead of counter). +In this mode, your YubiKey will generate a response based on the secret key, and a random challenge (instead of counter). This means that it isn't possible to generate a response in advance even if someone gets access to your YubiKey. This makes it reasonably safe to use the same YubiKey for other services (also in challenge-response mode). @@ -46,7 +46,7 @@ To use this mode you need to: sudo apt-get install yubikey-personalization yubikey-personalization-gui Shut down your TemplateVM. - Then reboot your USB VM (so changes inside the TemplateVM take effect in your TemplateBased USB VM or install the packages inside your USB VM if you would like to avoid rebooting your USB VM. + Then, either reboot your USB VM (so changes inside the TemplateVM take effect in your USB TemplateBasedVM) or install the packages inside your USB VM if you would like to avoid rebooting it. 2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/). @@ -57,15 +57,15 @@ To use this mode you need to: - Note: Different from the above video, use the following settings select `HMAC-SHA1 mode`: `fixed 64 bit input`. - We will refer the `Secret Key (20 bytes hex)` as `AESKEY`. - - It is recommended to keep a backup of your `AESKEY` in an offline VM used as vault. - - Consider to keep a backup of your `AESKEY` on paper and store it in a safe place. - - In case you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys. + - It is recommended to keep a backup of your `AESKEY` in an offline VM used as a vault. + - Consider keeping a backup of your `AESKEY` on paper and storing it in a safe place. + - If you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys. 3. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in dom0. sudo qubes-dom0-update qubes-yubikey-dom0 -4. Adjust USB VM name in case you are using something other than the default +4. Adjust the USB VM name in case you are using something other than the default `sys-usb` by editing `/etc/qubes/yk-keys/yk-vm` in dom0. 5. Paste your `AESKEY` from step 2 into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0. @@ -83,18 +83,15 @@ To use this mode you need to: echo -n "$password" | openssl dgst -sha1 -7. Edit `/etc/pam.d/login` in dom0. - Add this line at the beginning: +7. Edit `/etc/pam.d/login` in dom0, adding this line at the beginning: auth include yubikey -8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using screen locker program) in dom0. - Add this line at the beginning: +8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using another screen locker program) in dom0, adding this line at the beginning: auth include yubikey -9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using other display manager) in dom0. - Add this line at the beginning: +9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using another display manager) in dom0, adding this line at the beginning: auth include yubikey