Message ID | 5de34b432e5a0fe9cb3728184e6f7a9dd2f38eaf.1690401404.git.maxim.cournoyer@gmail.com |
---|---|
State | New |
Headers | show |
Series | [bug#64882] doc: cookbook: Document how to disable the Yubikey OTP application. | expand |
Hi Maxim, On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote: > * doc/guix-cookbook.texi (Using security keys) > <Disabling OTP code generation for a Yubikey>: New subsection. > --- > doc/guix-cookbook.texi | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi > index 2e58c6c795..8f2cb2369e 100644 > --- a/doc/guix-cookbook.texi > +++ b/doc/guix-cookbook.texi > @@ -2022,6 +2022,18 @@ Using security keys > ready to be used with applications supporting two-factor authentication > (2FA). > > +@subsection Disabling OTP code generation for a Yubikey > +@cindex disabling yubikey OTP > +If you use a Yubikey security key and are irritated by the spurious OTP > +codes it generates when inadvertently touching the key (e.g. causing you > +to become a spammer in the @samp{#guix} channel when discussing from > +your favorite IRC client!), you can disable it via the following > +@command{ykman} command: > + > +@example > +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP > +@end example > + > @node Connecting to Wireguard VPN > @section Connecting to Wireguard VPN > > > base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47 I'm not necessarily against it, but this seems only related to yubikey management in general (on Linux), rather than anything specific to Guix. Of course, 'guix shell' is a handy way to do this, I just don't know if this is needed in the cookbook. Then again, I guess the cookbook is a way to build up associated knowledge for Guix, which won't be included directly in the manual. Otherwise, LGTM, but a user should be aware if they are using/needed OTP before disabling it. John
Hi John, John Kehayias <john.kehayias@protonmail.com> writes: > Hi Maxim, > > On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote: > >> * doc/guix-cookbook.texi (Using security keys) >> <Disabling OTP code generation for a Yubikey>: New subsection. >> --- >> doc/guix-cookbook.texi | 12 ++++++++++++ >> 1 file changed, 12 insertions(+) >> >> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi >> index 2e58c6c795..8f2cb2369e 100644 >> --- a/doc/guix-cookbook.texi >> +++ b/doc/guix-cookbook.texi >> @@ -2022,6 +2022,18 @@ Using security keys >> ready to be used with applications supporting two-factor authentication >> (2FA). >> >> +@subsection Disabling OTP code generation for a Yubikey >> +@cindex disabling yubikey OTP >> +If you use a Yubikey security key and are irritated by the spurious OTP >> +codes it generates when inadvertently touching the key (e.g. causing you >> +to become a spammer in the @samp{#guix} channel when discussing from >> +your favorite IRC client!), you can disable it via the following >> +@command{ykman} command: >> + >> +@example >> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP >> +@end example >> + >> @node Connecting to Wireguard VPN >> @section Connecting to Wireguard VPN >> >> >> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47 > > I'm not necessarily against it, but this seems only related to yubikey > management in general (on Linux), rather than anything specific to Guix. > Of course, 'guix shell' is a handy way to do this, I just don't know if > this is needed in the cookbook. Then again, I guess the cookbook is a > way to build up associated knowledge for Guix, which won't be included > directly in the manual. You are right that it's not specifically related to Guix, but I expects users going through setuping a Yubikey on Guix to want to know how to do that (I spent months spamming #guix with OTP codes before Ricardo shared that tip with me, so it was not easy to discover). The Cookbook as I understand it is a loose collection of knowledge of how to do things using Guix, and is distinct from the user manual. > Otherwise, LGTM, but a user should be aware if they are using/needed OTP > before disabling it. I'm not sure when OTP is useful; it's not useful for the current use case I'm using my Yubikey (which is currently the two-factor authentication on web sites).
Hi Maxim, On Thu, Jul 27, 2023 at 03:25 PM, Maxim Cournoyer wrote: > Hi John, > > John Kehayias <john.kehayias@protonmail.com> writes: > >> I'm not necessarily against it, but this seems only related to yubikey >> management in general (on Linux), rather than anything specific to Guix. >> Of course, 'guix shell' is a handy way to do this, I just don't know if >> this is needed in the cookbook. Then again, I guess the cookbook is a >> way to build up associated knowledge for Guix, which won't be included >> directly in the manual. > > You are right that it's not specifically related to Guix, but I expects > users going through setuping a Yubikey on Guix to want to know how to do > that (I spent months spamming #guix with OTP codes before Ricardo shared > that tip with me, so it was not easy to discover). The Cookbook as I > understand it is a loose collection of knowledge of how to do things > using Guix, and is distinct from the user manual. > Sure. I'm not opposed, just wanted to make sure I was clear(ish) on what goes in there. I'm all for collecting more information to help out Guix users. >> Otherwise, LGTM, but a user should be aware if they are using/needed OTP >> before disabling it. > > I'm not sure when OTP is useful; it's not useful for the current use > case I'm using my Yubikey (which is currently the two-factor > authentication on web sites). I checked and I have OTP disabled on my Yubikey as well; I used 'ykman info' to see. I use it as my smart card essentially (as the keys for passwords, SSH, signing commits, etc.) as well as two-factor codes. I found this <https://www.yubico.com/resources/glossary/yubico-otp/> about OTP. If I remember now, it is a service that some sites will use to use your Yubikey for authentication, as I think LastPass had support for (I no longer use that). I think U2F is more ubiquitous and used more now anyway. But it is enabled by default and I would guess many people don't use it. John
Hi! John Kehayias <john.kehayias@protonmail.com> writes: [...] >>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP >>> before disabling it. >> >> I'm not sure when OTP is useful; it's not useful for the current use >> case I'm using my Yubikey (which is currently the two-factor >> authentication on web sites). > > I checked and I have OTP disabled on my Yubikey as well; I used 'ykman > info' to see. I use it as my smart card essentially (as the keys for > passwords, SSH, signing commits, etc.) as well as two-factor codes. > > I found this <https://www.yubico.com/resources/glossary/yubico-otp/> > about OTP. If I remember now, it is a service that some sites will use > to use your Yubikey for authentication, as I think LastPass had > support for (I no longer use that). I think U2F is more ubiquitous and > used more now anyway. But it is enabled by default and I would guess > many people don't use it. The yubikey-manager-qt package has since been added, providing a GUI to do the same, so I've expound the how-to with it, and installed the change. Thanks for the review!
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 2e58c6c795..8f2cb2369e 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2022,6 +2022,18 @@ Using security keys ready to be used with applications supporting two-factor authentication (2FA). +@subsection Disabling OTP code generation for a Yubikey +@cindex disabling yubikey OTP +If you use a Yubikey security key and are irritated by the spurious OTP +codes it generates when inadvertently touching the key (e.g. causing you +to become a spammer in the @samp{#guix} channel when discussing from +your favorite IRC client!), you can disable it via the following +@command{ykman} command: + +@example +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP +@end example + @node Connecting to Wireguard VPN @section Connecting to Wireguard VPN