Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-28 08:49:42 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'patch-47' of https://github.com/adrelanos/qubes-doc into adrelanos-patch-47

Browse Source
This commit is contained in:
Andrew David Wong 2018-02-25 15:26:07 -06:00
commit 207b315d6a
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 60 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
security/yubi-key.md
View File

@ -40,51 +40,70 @@ password (other than your login password!) and apply the configuration.
To use this mode you need to: To use this mode you need to:
1. Configure your YubiKey for challenge-response HMAC-SHA1 mode, for example 1. Install yubikey personalization the packages in your TemplateVM on which your USB VM is based.
For Fedora.
sudo dnf install ykpers yubikey-personalization-gui
For Debian.
sudo apt-get install yubikey-personalization yubikey-personalization-gui
Shut down your TemplateVM. Then reboot your USB VM (so changes inside the TemplateVM take effect
in your TemplateBased USB VM or install the packages inside your USB VM if you would like to avoid
rebooting your USB VM.
2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example
[following this [following this
tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/) tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/).
2. Install the `ykpers` package in template on which your USB VM is based.
3. Create `/usr/local/bin/yubikey-auth` script in dom0:
#!/bin/sh On Debian, you can run the graphical user interface `yubikey-personalization-gui` from the command line.
key="$1" - Choose `configuration slot 2`.
- It is recommended to enable `Require user input (button press)` but this is optional.
- Note: Different from the above video, use the following settings select
`HMAC-SHA1 mode`: `fixed 64 bit input`.
- We will refer the `Secret Key (20 bytes hex)` as `AESKEY`.
- It is recommended to keep a backup of your `AESKEY` in an offline VM used as vault.
- Consider to keep a backup of your `AESKEY` on paper and store it in a safe place.
- In case you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys.
if [ -z "$key" ]; then 3. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in dom0.
echo "Usage: $0 <AESKEY> [<PASSWORD-HASH>]"
exit 1
fi
# if password has given, verify it sudo qubes-dom0-update qubes-yubikey-dom0
if [ -n "$2" ]; then
# PAM appends \0 at the end
hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '`
if [ "x$2" != "x$hash" ]; then
exit 1
fi
fi
challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` 4. Adjust USB VM name in case you are using something other than the default
# You may need to adjust slot number and USB VM name here `sys-usb` by editing `/etc/qubes/yk-keys/yk-vm` in dom0.
response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x $challenge"`
correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '` 5. Paste your `AESKEY` from step 2 into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0.
test "x$correct_response" = "x$response" 6. Paste your hashed password (other than your standard Qubes password) into
exit $? `/etc/qubes/yk-keys/yk-login-pass-hashed.hex` in dom0.
4. Adjust USB VM name (`sys-usb` above), and possibly YubiKey slot number (`2` You can calculate your hashed password using the following two commands.
above), then make the script executable. First run the following command to store your password in a temporary variable `password`.
5. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using other (This way your password will not leak to the terminal command history file.)
screen locker program). Add this line at the beginning:
auth [success=done default=ignore] pam_exec.so expose_authtok quiet /usr/local/bin/yubikey-auth AESKEY PASSWORD-HASH read password
Replace `AESKEY` with hex-encoded key configured in the first step, then Now run the following command to calculate your hashed password.
replace `PASSWORD-HASH` with SHA1 hash for your YubiKey-linked password (other
than your standard Qubes password). You can calculate it using this command:
echo -n "PASSWORD" | openssl dgst -sha1 echo -n "$password" | openssl dgst -sha1
7. Edit `/etc/pam.d/login` in dom0. Add this line at the beginning:
auth include yubikey
8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using other
screen locker program) in dom0. Add this line at the beginning:
auth include yubikey
9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using other
display manager) in dom0. Add this line at the beginning:
auth include yubikey
### Usage ### Usage
@ -100,6 +119,13 @@ When everything is ok, your screen will be unlocked.
In any case you can still use your login password, but do it in a secure location In any case you can still use your login password, but do it in a secure location
where no one can snoop your password. where no one can snoop your password.
### Mandatory YubiKey Login
Edit `/etc/pam.d/yubikey` (or appropriate file if you are using other screen locker program)
and remove `default=ignore` so the line looks like this.
auth [success=done] pam_exec.so expose_authtok quiet /usr/bin/yk-auth
Locking the screen when YubiKey is removed Locking the screen when YubiKey is removed
------------------------------------------ ------------------------------------------