From e18ad25efd2768e597aaa9f94071ed47cb65803f Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Mon, 31 Jan 2022 16:45:55 -0500 Subject: yubikey login on helium This allows me to login and sudo with *either* a password or my yubikey. I also had to setup my yubikey with the instructions here: https://nixos.wiki/wiki/Yubikey#Logging-in Basically use ykman and ykpamcfg to generate a challenge-response setup on slot 2 of my yubikey. The pam config compares the key response with the ~/.yubico/challenge-* file in order to authenticate. I think pam uses the ~/.yubico/authorized_keys file to know to which yubikey to send the challenge, but I'm not sure on that one. --- lib/authorized_yubikeys | 1 + lib/common.nix | 4 ++++ lib/linux.nix | 1 + 3 files changed, 6 insertions(+) create mode 100644 lib/authorized_yubikeys (limited to 'lib') diff --git a/lib/authorized_yubikeys b/lib/authorized_yubikeys new file mode 100644 index 0000000..9e4c5a6 --- /dev/null +++ b/lib/authorized_yubikeys @@ -0,0 +1 @@ +ben:cccccchklur diff --git a/lib/common.nix b/lib/common.nix index c977cdb..0fa9302 100644 --- a/lib/common.nix +++ b/lib/common.nix @@ -32,6 +32,10 @@ in keyboard.options = [ "caps:ctrl_modifier" ]; file = { + yubikeys = { + source = ./authorized_yubikeys; + target = ".yubico/authorized_yubikeys"; + }; editorconfig = { source = ./editorconfig; target = ".editorconfig"; diff --git a/lib/linux.nix b/lib/linux.nix index c98124f..912e8bc 100644 --- a/lib/linux.nix +++ b/lib/linux.nix @@ -135,6 +135,7 @@ in xterm yank youtube-dl + yubioath-desktop zathura # languages i regularly use -- cgit v1.2.3