How to enable YubiKey login to gnome?

vbgf3 · April 14, 2024, 9:29pm

So far, I have these lines in configuration.nix

security.pam.yubico.enable = true ;
security.pam.services.zzz.yubicoAuth = true ;
security.pam.yubico.control = “sufficient” ;
services.pcscd.enable = true;

And I have added the following packages:
yubioath-flutter
yubikey-manager-qt
yubikey-touch-detector
yubikey-personalization-gui
yubikey-manager
pam_u2f
yubikey-personalization
libu2f-host

I don’t know if all the packages that I installed are necessary.

I need the proper procedures to add the required packages and define everything properly to enable Yubikey login to gnome. Somebody please help ?

Thanks

colemickens · April 14, 2024, 11:27pm

This is helpful:

https://nixos.wiki/wiki/Yubikey

But you really only need this option, in addition to creating the “Yubico/u2f_keys” file at the right location.

option docs: security.pam.u2f.enable

This is how I use it:

github.com

colemickens/nixcfg/blob/d33b7fc7b6f6918c1e9bcecbacd98f6c6738f46a/mixins/pam-u2f.nix

{
  pkgs,
  lib,
  inputs,
  ...
}:

let
  mapping = "cole:ffKBkSoiV7KcwUcdpjagrP9P4Gj4SFLxnZHRp3gy/jZbOD3J5xGCyidt9ruyA9ZT+DkV/lKd78Wy4RAEM8qodQ==,DfllypvIlTkhzZKEdVdRQb7iYev7K0TvpzaREkT2CFlhz4j/3vwWHzGBpQToxA2YOR1/Mwbm0cb4VxDJXs4k9g==,es256,+presence";

  ykDisconnect = pkgs.writeShellScript "yk-disconnect.sh" ''
    ${pkgs.procps}/bin/pkill -USR1 swayidle
  '';
in
{
  config = {
    security.pam = {
      u2f = {
        enable = true;
      };

This file has been truncated. show original

(Note, this lets me login to cosmic-greeter, unlock cosmic-greeter, unlock swaylock, etc, etc)

vbgf3 · April 15, 2024, 12:48am

Hi,

I am following the wiki to create the u2f_keys file. :

Connect your Yubikey
Create an authorization mapping file for your user. The authorization mapping file is like ~/.ssh/known_hosts but for Yubikeys.
nix-shell -p pam_u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
add another yubikey (optional): pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

But upon running pamu2cfg it is asking me for a PIN !
Enter PIN for /dev/hidraw3:
I keyed in my FIDO2 PIN and that is not correct.
Google Gemini AI says it is then probably the PIV pin. But I have only setup a Google Advanced Protection PIN, which is a FIDO2 pin. So I used Yubikey Manager to reset the PIV. And then supplied that new PIV pin and PUV pin and both didn’t work.

Did you encounter this ? Or did you use a different method to generate this u2f_keys file ?

Thanks.

vbgf3 · April 15, 2024, 4:38am

OK Everyone,

Here is the final configuration needed:

services.pcscd.enable = true;
security.pam.yubico = {
enable = true;

debug = true;

control = “required” ;
mode = “challenge-response”;

challenge response need to write configuration to yubikey with yubikey personalization tool, installed below

then a "challenge* file is written to ~/.yubico with the command “ykpamcfg -2 -v”

id generated by : nix-shell --command ‘ykinfo -s’ -p yubikey-personalization

id = [ “12345678” ];
};

environment.systemPackages = with pkgs; [

wget

yubioath-flutter
yubikey-manager-qt
yubikey-touch-detector
yubikey-personalization-gui
yubikey-manager
pam_u2f
yubikey-personalization
libu2f-host
yubico-pam

];
I think the module pam_u2f may not be required,

I followed Yubikey - NixOS Wiki, and used the “yubico-pam” section.
The 2nd step “ykman otp chalresp --touch --generate 2” did not work for me, so I used the Yubikey Personalization Tool to put the configuration into slot 2 of my Yubikey.

Good Luck.

colemickens · April 15, 2024, 5:01am

I’m not sure. I can say for certain yubico doesn’t appear in the Nix plaintext, anywhere in my system configurations. (Though Yubico does for the filepath for the u2f keys).

╭ zeph  ~  356ms
╰🡒  ykman info
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
Device type: YubiKey 5 NFC
Serial number: [redact]
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO, CCID
NFC transport is enabled

Applications	USB     	NFC
Yubico OTP  	Disabled	Enabled
FIDO U2F    	Enabled 	Enabled
FIDO2       	Enabled 	Enabled
OATH        	Disabled	Enabled
PIV         	Enabled 	Enabled
OpenPGP     	Enabled 	Enabled
YubiHSM Auth	Disabled	Enabled

(Note how my OTP part of my yubikey is disabled)

Maybe you have the FIDO U2F applet disabled?

Otherwise, I’m not sure

I just tested this again though:

❯ pamu2fcfg
Enter PIN for /dev/hidraw10:
cole:c2OtN[redact]XsaPA==,es256,+presence%

I typed my FIDO2 pin and then had to tap the device to finalize. I don’t have PIV configured at all on these yubikeys.

This is a different string than the one I already had for this yubikey, but the existing one still works too (just confirmed by locking Cosmic and tapping my yubikey to unlock it). And a good exercise to do, I actually needed to enroll my USB-C for PAM.

vbgf3 · April 15, 2024, 11:47am

Ah-ha… I didn’t know to tap the Yubikey, I typed in the FIDO2 pin . pressed Enter, and thought it hung!