Next: , Previous: , Up: System Configuration   [Contents][Index]


3.4 Using security keys

The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase – something that you know), reducing the risk of impersonation.

The example configuration detailed below showcases what minimal configuration needs to be made on your Guix System to allow the use of a Yubico security key. It is hoped the configuration can be useful for other security keys as well, with minor adjustments.

3.4.1 Configuration for use as a two-factor authenticator (2FA)

To be usable, the udev rules of the system should be extended with key-specific rules. The following shows how to extend your udev rules with the lib/udev/rules.d/70-u2f.rules udev rule file provided by the libfido2 package from the (gnu packages security-token) module and add your user to the ‘"plugdev"’ group it uses:

(use-package-modules ... security-token ...)
...
(operating-system
 ...
 (users (cons* (user-account
               (name "your-user")
               (group "users")
               (supplementary-groups
		'("wheel" "netdev" "audio" "video"
                  "plugdev"))           ;<- added system group
               (home-directory "/home/your-user"))
              %base-user-accounts))
 ...
 (services
  (cons*
   ...
   (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))

After re-configuring your system and re-logging in your graphical session so that the new group is in effect for your user, you can verify that your key is usable by launching:

guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys

and validating that the security key can be reset via the “Reset your security key” menu. If it works, congratulations, your security key is ready to be used with applications supporting two-factor authentication (2FA).

3.4.2 Disabling OTP code generation for a Yubikey

If you use a Yubikey security key and are irritated by the spurious OTP codes it generates when inadvertently touching the key (e.g. causing you to become a spammer in the ‘#guix’ channel when discussing from your favorite IRC client!), you can disable it via the following ykman command:

guix shell python-yubikey-manager -- ykman config usb --force --disable OTP

Alternatively, you could use the ykman-gui command provided by the yubikey-manager-qt package and either wholly disable the ‘OTP’ application for the USB interface or, from the ‘Applications -> OTP’ view, delete the slot 1 configuration, which comes pre-configured with the Yubico OTP application.

3.4.3 Requiring a Yubikey to open a KeePassXC database

The KeePassXC password manager application has support for Yubikeys, but it requires installing a udev rules for your Guix System and some configuration of the Yubico OTP application on the key.

The necessary udev rules file comes from the yubikey-personalization package, and can be installed like:

(use-package-modules ... security-token ...)
...
(operating-system
 ...
 (services
  (cons*
   ...
   (udev-rules-service 'yubikey yubikey-personalization))))

After reconfiguring your system (and reconnecting your Yubikey), you’ll then want to configure the OTP challenge/response application of your Yubikey on its slot 2, which is what KeePassXC uses. It’s easy to do so via the Yubikey Manager graphical configuration tool, which can be invoked with:

guix shell yubikey-manager-qt -- ykman-gui

First, ensure ‘OTP’ is enabled under the ‘Interfaces’ tab, then navigate to ‘Applications -> OTP’, and click the ‘Configure’ button under the ‘Long Touch (Slot 2)’ section. Select ‘Challenge-response’, input or generate a secret key, and click the ‘Finish’ button. If you have a second Yubikey you’d like to use as a backup, you should configure it the same way, using the same secret key.

Your Yubikey should now be detected by KeePassXC. It can be added to a database by navigating to KeePassXC’s ‘Database -> Database Security...’ menu, then clicking the ‘Add additional protection...’ button, then ‘Add Challenge-Response’, selecting the security key from the drop-down menu and clicking the ‘OK’ button to complete the setup.


Next: Dynamic DNS mcron job, Previous: Guix System Image API, Up: System Configuration   [Contents][Index]