[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: doc: Add a security keys section to the cookbook.
From: |
guix-commits |
Subject: |
branch master updated: doc: Add a security keys section to the cookbook. |
Date: |
Thu, 24 Nov 2022 20:53:03 -0500 |
This is an automated email from the git hooks/post-receive script.
apteryx pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new d524ec6fb5 doc: Add a security keys section to the cookbook.
d524ec6fb5 is described below
commit d524ec6fb595adbd33d3efda562041bb59d7505a
Author: Maxim Cournoyer <maxim.cournoyer@gmail.com>
AuthorDate: Mon Nov 21 14:49:04 2022 -0500
doc: Add a security keys section to the cookbook.
* doc/guix-cookbook.texi (Top): Register new menu.
(System Configuration): Likewise.
(Using security keys): New section.
---
doc/guix-cookbook.texi | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index f371364746..af08d4ed54 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,6 +21,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
+Copyright @copyright{} 2022 Maxim Cournoyer*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -95,6 +96,7 @@ System Configuration
* Auto-Login to a Specific TTY:: Automatically Login a User to a Specific
TTY
* Customizing the Kernel:: Creating and using a custom Linux kernel
on Guix System.
* Guix System Image API:: Customizing images to target specific
platforms.
+* Using security keys:: How to use security keys with Guix System.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager
on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server. Running
Guix on a Linode Server
@@ -1380,6 +1382,7 @@ reference.
* Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY
* Customizing the Kernel:: Creating and using a custom Linux kernel on
Guix System.
* Guix System Image API:: Customizing images to target specific
platforms.
+* Using security keys:: How to use security keys with Guix System.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on
Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server
@@ -1883,6 +1886,65 @@ guix system image --image-type=hurd-qcow2 my-hurd-os.scm
will instead produce a Hurd QEMU image.
+@node Using security keys
+@section Using security keys
+@cindex 2FA, two-factor authentication
+@cindex U2F, Universal 2nd Factor
+@cindex security key, configuration
+
+The use of security keys can improve your security by providing a second
+authentication source that cannot be easily stolen or copied, at least
+for a remote adversary (something that you have), to the main secret (a
+passphrase -- something that you know), reducing the risk of
+impersonation.
+
+The example configuration detailed below showcases what minimal
+configuration needs to be made on your Guix System to allow the use of a
+Yubico security key. It is hoped the configuration can be useful for
+other security keys as well, with minor adjustments.
+
+@subsection Configuration for use as a two-factor authenticator (2FA)
+
+To be usable, the udev rules of the system should be extended with
+key-specific rules. The following shows how to extend your udev rules
+with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by
+the @code{libfido2} package from the @code{(gnu packages
+security-token)} module and add your user to the @samp{"plugdev"} group
+it uses:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (users (cons* (user-account
+ (name "your-user")
+ (group "users")
+ (supplementary-groups
+ '("wheel" "netdev" "audio" "video"
+ "plugdev")) ;<- added system group
+ (home-directory "/home/your-user"))
+ %base-user-accounts))
+ ...
+ (services
+ (cons*
+ ...
+ (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
+@end lisp
+
+After re-configuring your system and re-logging in your graphical
+session so that the new group is in effect for your user, you can verify
+that your key is usable by launching:
+
+@example
+guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
+@end example
+
+and validating that the security key can be reset via the ``Reset your
+security key'' menu. If it works, congratulations, your security key is
+ready to be used with applications supporting two-factor authentication
+(2FA).
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: doc: Add a security keys section to the cookbook.,
guix-commits <=