Wed 18 July 2018

Filed under Gentoo

Tags gentoo yubikey

The story

It has been a while since I got my Yubikey from Harry Chen. Now that I'm back working on Gentoo, so it is time to explore functions of the Yubikey on Linux. Instead of just using the Yubikey as a OpenPGP card, its U2F function can serve more than simply logging you into Google. In this article, we'll show how to make the Yubikey a convenient and secure login token for Linux systems, enabling you to log into the system with a plug and a touch, and lock the session when the token is removed.

U2F capability for PAM

U2F can be used locally on Linux systems thanks to the pam_u2f module by Yubico. Emerge sys-auth/pam_u2f and add the active user (jsteward in my case) to the usb group for access to the device:

emerge -av sys-auth/pam_u2f
gpasswd -a jsteward usb

Note: remember to log out and then log back in to make the new group settings come into place.

Register the device

Make sure you've configured the appropriate kernel options (CONFIG_HIDRAW and CONFIG_USB_HIDDEV). Plug in the device and observe dmesg to see if the deivce is detected by the kernel correctly. We can then setup the authorization mappings, registers the device to the user that uses it.

mkdir -p ~/.config/Yubico
pamu2fcfg -ujsteward > ~/.config/Yubico/u2f_keys

Touch the device as the LED on it starts blinking. Verify that the device is properly registered by verifying the contents of ~/.config/Yubico/u2f_keys. To use multiple keys, register the device with different authorization file locations (i.e. u2f_keys) and then merge them into a single u2f_keys in the following format:

jsteward:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...

Configure PAM module

We want to use our Yubikey for system authentications, which would include logins (DE or tty), session unlock (screensaver), sudo, and more. Place the following line in /etc/pam.d/system-auth:

auth        sufficient  pam_u2f.so cue

Just above the following existing line in the file:

auth        required    pam_unix.so try_first_pass likeauth nullok

Note: the cue parameter makes the module display a prompt "Please touch the device." when it is waiting for a response so that the user does not mistake it as the system has hung.

This enables you to authenticate with a Yubikey without the need of user passwords. To use the Yubikey as a 2FA tool, change sufficient to required. However, this will result in failed authentication when the Yubikey is not present (and touched in time).

Warning: system-auth affects all authentications, including remote ones. Think twice before using required for pam_u2f on a server.

Warning: messing up PAM configuration may result in being locked out of the system, which is only possible to fix with a LiveCD or init=/bin/bash.

Test the configuration by trying to log in or sudo. SDDM logins will be a little bit tricky due to the way it is designed: press Login without entering a correct password and touch the device.

Lock the session when Yubikey gets removed

This works with a simple udev rule. For an easy way of locking sessions, use elogind instead of the default consolekit (on Gentoo) as described in the Gentoo Wiki page for elogind. Write the following rule in /etc/udev/rules.d/20-yubikey.rules:

ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", RUN+="/bin/loginctl lock-sessions"

Check your Yubikey's VID:PID pair and substitute 1050:0407 accordingly. Reload the udev rules:

sudo udevadm control --reload-rules

Unplug your Yubikey to see the rule in action.

Comment

Mon 16 July 2018

Filed under Gentoo

Tags gentoo gsoc

Preface

Compiling is the main source of time consumption on a Gentoo system, and Portage-powered Android is of no exception. Gentoo packages can leverage Distcc to significantly speed up builds on slow machines with the aid of a powerful machine. For utilization in the Portage-powered Android project, we need to …

Read More

Thu 05 July 2018

Filed under Gentoo

Tags gentoo android gsoc

Introduction

The Linux kernel is the most important component on any systems that are based on it, be it Gentoo Linux or Android. The user may want to tweak the kernel to enable functions that userspace utilities need (e.g. LVM, FUSE, Netfilter, etc.), so being able to tweak the …

Read More

Fri 25 May 2018

Filed under Gentoo

Tags android gentoo gsoc

Preface

As we now have preinit and the crucial UART console available, we can start bringing up the real GNU/Linux system--Gentoo Linux in this case. This article will focus on the following topics:

  • Filesystem structure and mounting procedure (in details)
  • Launch sequence to bring up OpenRC
  • Crafting a preinit …
Read More

Sat 05 May 2018

Filed under Gentoo

Tags gentoo linux virtualization

The story

After struggling with HiDPI issues on native GNU/Linux and battery life issues on macOS, I resorted to using Windows 10 as the main operating system on my laptop. Though there's WSL, it's not running Gentoo and has a severely degraded performance. As crossdev is really easy to …

Read More

Personal details (portrait, CV) © Pengcheng Xu All Rights Reserved; articles licensed under CC BY-SA 4.0.
Powered by Pelican, Bootstrap, and NixOS. Icons by Font Awesome. Generated from 9c526f2.