Merge branch 'deathgrippin-yubikey-patch'

This commit is contained in:
Andrew David Wong 2020-06-07 21:03:48 -05:00
commit 97dbe36192
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17

View File

@ -10,15 +10,15 @@ redirect_from:
Using YubiKey to Qubes authentication Using YubiKey to Qubes authentication
===================================== =====================================
You can use YubiKey to enhance Qubes user authentication, for example to mitigate risk of snooping the password. You can use a YubiKey to enhance Qubes user authentication, for example to mitigate risk of someone snooping the password.
This can also slightly improve security when you have [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices). This can also slightly improve security when you have a [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices).
There (at least) two possible configurations: using OTP mode and using challenge-response mode. There are (at least) two possible configurations: using OTP mode and using challenge-response mode.
OTP mode OTP mode
-------- --------
This can be configured using [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package. This can be configured using the [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package.
This package does not support sharing the same key slot with other applications (it will deny further authentications if you try). This package does not support sharing the same key slot with other applications (it will deny further authentications if you try).
Contrary to instruction there, currently there is no binary package in the Qubes repository and you need to compile it yourself. Contrary to instruction there, currently there is no binary package in the Qubes repository and you need to compile it yourself.
@ -27,7 +27,7 @@ This might change in the future.
Challenge-response mode Challenge-response mode
---------------------- ----------------------
In this mode, your YubiKey will generate a response based on the secret key, and random challenge (instead of counter). In this mode, your YubiKey will generate a response based on the secret key, and a random challenge (instead of counter).
This means that it isn't possible to generate a response in advance even if someone gets access to your YubiKey. This means that it isn't possible to generate a response in advance even if someone gets access to your YubiKey.
This makes it reasonably safe to use the same YubiKey for other services (also in challenge-response mode). This makes it reasonably safe to use the same YubiKey for other services (also in challenge-response mode).
@ -46,7 +46,7 @@ To use this mode you need to:
sudo apt-get install yubikey-personalization yubikey-personalization-gui sudo apt-get install yubikey-personalization yubikey-personalization-gui
Shut down your TemplateVM. Shut down your TemplateVM.
Then reboot your USB VM (so changes inside the TemplateVM take effect in your TemplateBased USB VM or install the packages inside your USB VM if you would like to avoid rebooting your USB VM. Then, either reboot your USB VM (so changes inside the TemplateVM take effect in your USB TemplateBasedVM) or install the packages inside your USB VM if you would like to avoid rebooting it.
2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/). 2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/).
@ -57,15 +57,15 @@ To use this mode you need to:
- Note: Different from the above video, use the following settings select - Note: Different from the above video, use the following settings select
`HMAC-SHA1 mode`: `fixed 64 bit input`. `HMAC-SHA1 mode`: `fixed 64 bit input`.
- We will refer the `Secret Key (20 bytes hex)` as `AESKEY`. - We will refer the `Secret Key (20 bytes hex)` as `AESKEY`.
- It is recommended to keep a backup of your `AESKEY` in an offline VM used as vault. - It is recommended to keep a backup of your `AESKEY` in an offline VM used as a vault.
- Consider to keep a backup of your `AESKEY` on paper and store it in a safe place. - Consider keeping a backup of your `AESKEY` on paper and storing it in a safe place.
- In case you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys. - If you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys.
3. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in dom0. 3. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in dom0.
sudo qubes-dom0-update qubes-yubikey-dom0 sudo qubes-dom0-update qubes-yubikey-dom0
4. Adjust USB VM name in case you are using something other than the default 4. Adjust the USB VM name in case you are using something other than the default
`sys-usb` by editing `/etc/qubes/yk-keys/yk-vm` in dom0. `sys-usb` by editing `/etc/qubes/yk-keys/yk-vm` in dom0.
5. Paste your `AESKEY` from step 2 into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0. 5. Paste your `AESKEY` from step 2 into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0.
@ -83,18 +83,15 @@ To use this mode you need to:
echo -n "$password" | openssl dgst -sha1 echo -n "$password" | openssl dgst -sha1
7. Edit `/etc/pam.d/login` in dom0. 7. Edit `/etc/pam.d/login` in dom0, adding this line at the beginning:
Add this line at the beginning:
auth include yubikey auth include yubikey
8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using screen locker program) in dom0. 8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using another screen locker program) in dom0, adding this line at the beginning:
Add this line at the beginning:
auth include yubikey auth include yubikey
9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using other display manager) in dom0. 9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using another display manager) in dom0, adding this line at the beginning:
Add this line at the beginning:
auth include yubikey auth include yubikey