From patchwork Mon Nov 21 20:02:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 44758 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C2A6A27BBE9; Mon, 21 Nov 2022 20:04:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1FE4E27BBEC for ; Mon, 21 Nov 2022 20:04:21 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oxD1Q-0008SK-Nd; Mon, 21 Nov 2022 15:04:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oxD1O-0008Rw-RY for guix-patches@gnu.org; Mon, 21 Nov 2022 15:04:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oxD1O-0000O0-IC for guix-patches@gnu.org; Mon, 21 Nov 2022 15:04:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oxD1O-00056M-5a for guix-patches@gnu.org; Mon, 21 Nov 2022 15:04:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#59454] [PATCH] doc: Add a security keys section to the cookbook. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 21 Nov 2022 20:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 59454 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 59454@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.166906098919527 (code B ref -1); Mon, 21 Nov 2022 20:04:02 +0000 Received: (at submit) by debbugs.gnu.org; 21 Nov 2022 20:03:09 +0000 Received: from localhost ([127.0.0.1]:48906 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxD0W-00054t-QI for submit@debbugs.gnu.org; Mon, 21 Nov 2022 15:03:09 -0500 Received: from lists.gnu.org ([209.51.188.17]:52770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxD0U-00054l-AC for submit@debbugs.gnu.org; Mon, 21 Nov 2022 15:03:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oxD0T-0008C3-99 for guix-patches@gnu.org; Mon, 21 Nov 2022 15:03:06 -0500 Received: from mail-qt1-x830.google.com ([2607:f8b0:4864:20::830]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oxD0R-0000Fu-J6 for guix-patches@gnu.org; Mon, 21 Nov 2022 15:03:04 -0500 Received: by mail-qt1-x830.google.com with SMTP id c15so7991665qtw.8 for ; Mon, 21 Nov 2022 12:03:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=; b=BixXm1DQoqqAMbL9QZYfHbe7qbSOdEtIVssVUyafjkhMhb0ELpXhJxksc2VBd7LI2u 2WYNSdz0JPALoBIuVwCy69OMJMWsNaH6t8TL2cxHrLN9ekdwU0QR7rOpdcv1hZu7dky8 6FVyMkhG3ZIeUbWzIqajwsDliINBQs9M7xITkhq/5EAINMhsWbiROsVLQ8nxum7VZ4Fb 1sacOYJHv32Szhta/77Ks/oq/aekG37yVR/ey6en/5/v7nf7cba5Rck8DgP1BZkGOtEr lX6hBD/aiMboj/tN89DRsmJPfjMwVvEx0Z1Igk1uzoWhsKu2EowQzi+zPCqNZrq2t7Be /lkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=; b=fEysoBv2SOgl43f71qCL4dGSO9AmaaWl3zrSW6RuNEQwOZyNTQGTamxgflW//gXP4w 46B6fKlf94DxptrZD08Pm8Z8LV/4KjG5tHyr6OaxPzoHdVROW6QR4FbiV4FS7BagZDy4 N1THswwf4YhTo2FGlBPIiUhQ6pYSVnN8zy59CrWxMbEHSFguMpH8wcSW5oX0sYr5fV+2 KNtYN4N/ywtXV1nLIKsJYkVoc/F8iGhq+rJAws9UTpAR8YqPFg/qepUv8Mx+U+0Tfham FwOIvKBLwv3zCGKXeN9/E9tI5k0MJuTF7AC5aiCL6OOxPqfvZVlCGNiHzOM4ipGwuzW5 swMQ== X-Gm-Message-State: ANoB5pkznbZhGUOhkoicNIGVV9ajrJhDVCmGiMNLO/6x9wFneRMDCGDB d1MQlLoSYbUI4iLuifzQUlGIM7FxHR8= X-Google-Smtp-Source: AA0mqf7b41wdZ2ZVTnRM6D85qUrJLoqdHgAgZtWp98ttCwJlZh8C/o0WB7+80Z5IVcv5vhTNjQSi2A== X-Received: by 2002:ac8:4887:0:b0:3a4:5e9e:1bd3 with SMTP id i7-20020ac84887000000b003a45e9e1bd3mr2013550qtq.50.1669060981833; Mon, 21 Nov 2022 12:03:01 -0800 (PST) Received: from localhost.localdomain ([2607:fad8:4:3::1003]) by smtp.gmail.com with ESMTPSA id l15-20020a05620a28cf00b006bb2cd2f6d1sm8726412qkp.127.2022.11.21.12.03.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Nov 2022 12:03:01 -0800 (PST) From: Maxim Cournoyer Date: Mon, 21 Nov 2022 15:02:56 -0500 Message-Id: <20221121200256.2680-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::830; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x830.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix-cookbook.texi (Top): Register new menu. (System Configuration): Likewise. (Using security keys): New section. --- doc/guix-cookbook.texi | 59 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) base-commit: fe3be8d5e04804dadd84c7a909e1f85fe52080f3 diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index f371364746..7a7877bd00 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -21,6 +21,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@* Copyright @copyright{} 2020 André Batista@* Copyright @copyright{} 2020 Christine Lemmer-Webber@* Copyright @copyright{} 2021 Joshua Branson@* +Copyright @copyright{} 2022 Maxim Cournoyer* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -95,6 +96,7 @@ System Configuration * Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System. * Guix System Image API:: Customizing images to target specific platforms. +* Using security keys:: How to use security keys with Guix System. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Running Guix on a Linode Server:: Running Guix on a Linode Server. Running Guix on a Linode Server @@ -1380,6 +1382,7 @@ reference. * Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System. * Guix System Image API:: Customizing images to target specific platforms. +* Using security keys:: How to use security keys with Guix System. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Running Guix on a Linode Server:: Running Guix on a Linode Server @@ -1883,6 +1886,62 @@ guix system image --image-type=hurd-qcow2 my-hurd-os.scm will instead produce a Hurd QEMU image. +@node Using security keys +@section Using security keys +@cindex 2FA, two-factor authentication +@cindex security key, configuration + +The use of security keys can improve your security by providing a second +authentication source that cannot be easily stolen or copied (similar to +the protection provided by mechanical keys for the door of your home or +apartment), which reduces the risk of impersonation. + +The example configuration detailed below showcases what minimal +configuration needs to be made on your Guix System to allow the use of a +Yubico security key. We hope the configuration can be useful for other +security keys as well, with minor adjustments. + +@subsection Configuration for use as a two-factor authenticator (2FA) + +Two be usable, the udev rules of the system should be extended with +key-specific rules. The following show how to extend your udev rules +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by +the @code{libfido2} package from the @code{(gnu packages +security-token)} module and add your user to the @samp{"plugdev"} group +it uses: + +@lisp +(use-package-modules ... security-token ...) +... +(operating-system + ... + (users (cons* (user-account + (name "your-user") + (group "users") + (supplementary-groups + '("wheel" "netdev" "audio" "video" + "plugdev")) ;<- added system group + (home-directory "/home/your-user")) + %base-user-accounts)) + ... + (services + (cons* + ... + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) +@end lisp + +After re-configuring your system and re-login to your graphical session, +you can verify that your key is usable by launching: + +@example +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys +@end example + +and validating that the security key can be reset via the ``Reset your +security key'' menu. If it works, congratulations, your security key is +ready to be used with applications supporting two-factors authentication +(2FA). + @node Connecting to Wireguard VPN @section Connecting to Wireguard VPN