diff options
| author | Ben Sima <ben@bsima.me> | 2022-01-31 16:45:55 -0500 |
|---|---|---|
| committer | Ben Sima <ben@bsima.me> | 2022-01-31 16:45:55 -0500 |
| commit | e18ad25efd2768e597aaa9f94071ed47cb65803f (patch) | |
| tree | 49acc2974cdfde65d35328563134ce12cb0369b3 | |
| parent | a3be270668ae5780f3ef0437b088870ebbf8e011 (diff) | |
yubikey login on helium
This allows me to login and sudo with *either* a password or my yubikey.
I also had to setup my yubikey with the instructions here:
https://nixos.wiki/wiki/Yubikey#Logging-in
Basically use ykman and ykpamcfg to generate a challenge-response setup
on slot 2 of my yubikey. The pam config compares the key response with
the ~/.yubico/challenge-* file in order to authenticate. I think pam
uses the ~/.yubico/authorized_keys file to know to which yubikey to send
the challenge, but I'm not sure on that one.
| -rw-r--r-- | lib/authorized_yubikeys | 1 | ||||
| -rw-r--r-- | lib/common.nix | 4 | ||||
| -rw-r--r-- | lib/linux.nix | 1 | ||||
| -rw-r--r-- | machines/helium.nix | 11 |
4 files changed, 15 insertions, 2 deletions
diff --git a/lib/authorized_yubikeys b/lib/authorized_yubikeys new file mode 100644 index 0000000..9e4c5a6 --- /dev/null +++ b/lib/authorized_yubikeys @@ -0,0 +1 @@ +ben:cccccchklur diff --git a/lib/common.nix b/lib/common.nix index c977cdb..0fa9302 100644 --- a/lib/common.nix +++ b/lib/common.nix @@ -32,6 +32,10 @@ in keyboard.options = [ "caps:ctrl_modifier" ]; file = { + yubikeys = { + source = ./authorized_yubikeys; + target = ".yubico/authorized_yubikeys"; + }; editorconfig = { source = ./editorconfig; target = ".editorconfig"; diff --git a/lib/linux.nix b/lib/linux.nix index c98124f..912e8bc 100644 --- a/lib/linux.nix +++ b/lib/linux.nix @@ -135,6 +135,7 @@ in xterm yank youtube-dl + yubioath-desktop zathura # languages i regularly use diff --git a/machines/helium.nix b/machines/helium.nix index dda6569..564dd28 100644 --- a/machines/helium.nix +++ b/machines/helium.nix @@ -7,7 +7,11 @@ let in { imports = [ ./users.nix ]; - security.sudo.wheelNeedsPassword = false; + security.sudo.wheelNeedsPassword = true; + security.pam.yubico.enable = true; + security.pam.yubico.debug = false; + security.pam.yubico.control = "sufficient"; # use yubikey in lieu of password + security.pam.yubico.mode = "challenge-response"; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" @@ -39,7 +43,10 @@ in { fira fira-code fira-code-symbols ]; - environment.systemPackages = [ + environment.systemPackages = with pkgs; [ + yubioath-desktop + yubico-pam + yubikey-manager ]; nixpkgs = { |