yubikey login on helium

This allows me to login and sudo with *either* a password or my yubikey. I also had to setup my yubikey with the instructions here: https://nixos.wiki/wiki/Yubikey#Logging-in Basically use ykman and ykpamcfg to generate a challenge-response setup on slot 2 of my yubikey. The pam config compares the key response with the ~/.yubico/challenge-* file in order to authenticate. I think pam uses the ~/.yubico/authorized_keys file to know to which yubikey to send the challenge, but I'm not sure on that one.
author: Ben Sima <ben@bsima.me> 2022-01-31 16:45:55 -0500
committer: Ben Sima <ben@bsima.me> 2022-01-31 16:45:55 -0500
commit: e18ad25efd2768e597aaa9f94071ed47cb65803f (patch)
tree: 49acc2974cdfde65d35328563134ce12cb0369b3 /machines
parent: a3be270668ae5780f3ef0437b088870ebbf8e011 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/machines/helium.nix b/machines/helium.nix
index dda6569..564dd28 100644
--- a/machines/helium.nix
+++ b/machines/helium.nix
@@ -7,7 +7,11 @@ let
 in {
   imports = [ ./users.nix ];
 
-  security.sudo.wheelNeedsPassword = false;
+  security.sudo.wheelNeedsPassword = true;
+  security.pam.yubico.enable = true;
+  security.pam.yubico.debug = false;
+  security.pam.yubico.control = "sufficient";  # use yubikey in lieu of password
+  security.pam.yubico.mode = "challenge-response";
 
   boot.initrd.availableKernelModules = [
     "ehci_pci" "ahci"
@@ -39,7 +43,10 @@ in {
     fira fira-code fira-code-symbols
   ];
 
-  environment.systemPackages = [
+  environment.systemPackages = with pkgs; [
+    yubioath-desktop
+    yubico-pam
+    yubikey-manager
   ];
 
   nixpkgs = {
author	Ben Sima <ben@bsima.me>	2022-01-31 16:45:55 -0500
committer	Ben Sima <ben@bsima.me>	2022-01-31 16:45:55 -0500
commit	e18ad25efd2768e597aaa9f94071ed47cb65803f (patch)
tree	49acc2974cdfde65d35328563134ce12cb0369b3 /machines
parent	a3be270668ae5780f3ef0437b088870ebbf8e011 (diff)