GNU bug report logs - #59454
[PATCH] doc: Add a security keys section to the cookbook.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>; Keywords: patch moreinfo; dated Mon, 21 Nov 2022 20:04:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.
Added tag(s) moreinfo. Request was from Christopher Baines <mail@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 59454 <at> debbugs.gnu.org:


Received: (at 59454) by debbugs.gnu.org; 23 Nov 2022 04:12:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 22 23:12:04 2022
Received: from localhost ([127.0.0.1]:53153 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oxh7D-0000xC-IR
	for submit <at> debbugs.gnu.org; Tue, 22 Nov 2022 23:12:03 -0500
Received: from mail-4322.protonmail.ch ([185.70.43.22]:16775)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@HIDDEN>) id 1oxh77-0000we-Uf
 for 59454 <at> debbugs.gnu.org; Tue, 22 Nov 2022 23:12:02 -0500
Date: Wed, 23 Nov 2022 04:11:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1669176711; x=1669435911;
 bh=zKuoYa9xkwRop/j0a2OMbhCngwh3UgOFbi5U89BdtOo=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=PkuPAT3uw4Jl2VIBJdqWt9RBaK+AEub3Oc6NjT3YnFfL01s/0Gvu2+I0VoN9erwxG
 44RDl9DiNWUfH+gFOarjeSSnCritlotd1y1OI/9OM56gFV9JXoD7Zpzg1yArf5Rb4+
 rahVQOt3ErKhcgzSCvuwGBPkmEgezkvex8Nutsa663R6mhRpogYzxFL2FvaCJ8itKw
 5tCStf4YQR+mmbnC8WWaCFw0RnkwYeoPQkbwF3uitPlvsHpSJNMzwgE47ulYr0oQ9b
 +3/0rLCy2Q3qtLkQGDpLLFc2/dE3M+OB2UgglSOnQAMSCtARQxJjw9Ao9jim0C578k
 J4wE9ak3WxM9w==
To: 59454 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
From: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [PATCH] doc: Add a security keys section to the cookbook.
Message-ID: <877czmfgy5.fsf@HIDDEN>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 59454
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Maxim,

Thanks for this addition, I think it will definitely be useful to many peop=
le. Overall it looks good, a few minor notes on the text after I add some o=
f my confusion to the udev rules question.

For the udev rules, I tried without the plugdev group and it seemed like ev=
erything worked for me (though note I also use the pcscd service). In the p=
ast, I've had the plugdev group for the udev rules but not my user. I'm not=
 sure why that is, perhaps the "uaccess" part of the rules? (I don't know m=
uch about this at all.) However, I did get system log messages "udevd[258]:=
 specified group 'plugdev' unknown" which I'm guessing is due to me leaving=
 that out of the udev rules service.

I'm not sure how we want to handle that in this documentation. I wouldn't b=
e surprised if something does need the user to be in the plugdev group, I j=
ust haven't encountered it. Perhaps then keep it as is to be on the safe si=
de since I can't think of a clear downside other than having one more group=
?

To add a little more confusion, on my Arch system I see no such udev rules.=
 The only one I have for a Yubikey is from the equivalent of our yubikey-pe=
rsonalization package and which doesn't have any match for my particular Yu=
bikey. But everything works there as well. Anyway, likely some other detail=
s there (some general rules for security keys?), just thought I'd mention t=
hat.

A few minor notes on the text now:

> +The use of security keys can improve your security by providing a second
> +authentication source that cannot be easily stolen or copied (similar to
> +the protection provided by mechanical keys for the door of your home or
> +apartment), which reduces the risk of impersonation.
> +

Not to get into the weeds here, but maybe we can use the "standard" this is=
 the "something you have" part of multi-factor authentication (the "one you=
 know" being a password, of course).

Also, should we use the keyword Universal 2nd Factor (U2F) standard somewhe=
re? I believe this is the setup we need for that, but don't quote me on tha=
t.

> +The example configuration detailed below showcases what minimal
> +configuration needs to be made on your Guix System to allow the use of a
> +Yubico security key.  We hope the configuration can be useful for other
> +security keys as well, with minor adjustments.
> +

Super minor: do we use the "we" form much in the manual, at least in the sy=
stem reference parts?

> +@subsection Configuration for use as a two-factor authenticator (2FA)
> +
> +Two be usable, the udev rules of the system should be extended with
> +key-specific rules.  The following show how to extend your udev rules
> +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by
> +the @code{libfido2} package from the @code{(gnu packages
> +security-token)} module and add your user to the @samp{"plugdev"} group
> +it uses:
> +

Minor typos: "Two" -> "To", "show" -> "shows"; comment above for "you" here=
.

> +@lisp
> +(use-package-modules ... security-token ...)
> +...
> +(operating-system
> + ...
> + (users (cons* (user-account
> +               (name "your-user")
> +               (group "users")
> +               (supplementary-groups
> +=09=09'("wheel" "netdev" "audio" "video"
> +                  "plugdev"))           ;<- added system group
> +               (home-directory "/home/your-user"))
> +              %base-user-accounts))
> + ...
> + (services
> +  (cons*
> +   ...
> +   (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
> +@end lisp
> +
> +After re-configuring your system and re-login to your graphical session,
> +you can verify that your key is usable by launching:
> +

Minor: "re-login" probably should be "re-logging in" maybe?

I'm guessing logging in again is needed due to the group change? (Otherwise=
 we have the nice change you made so that udev rules get picked up automati=
cally, right?)

> +@example
> +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
> +@end example
> +

Perhaps a simple website for testing u2f that works in other browsers? Sorr=
y, don't have any off the top of my head, just wondering (as I don't normal=
ly use chromium).

> +and validating that the security key can be reset via the ``Reset your
> +security key'' menu.  If it works, congratulations, your security key is
> +ready to be used with applications supporting two-factors authentication
> +(2FA).

Not familiar with the chromium settings here, is there something less poten=
tially drastic to check? I didn't dare touch that as my security key is alr=
eady set up (private keys backed up of course, but still).

Sorry for some of the more nitpick-y text things, probably reading and grad=
ing too many papers recently :) Overall will be a nice addition, thanks!

John





Information forwarded to guix-patches@HIDDEN:
bug#59454; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 21 Nov 2022 20:03:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 21 15:03:09 2022
Received: from localhost ([127.0.0.1]:48906 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oxD0W-00054t-QI
	for submit <at> debbugs.gnu.org; Mon, 21 Nov 2022 15:03:09 -0500
Received: from lists.gnu.org ([209.51.188.17]:52770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1oxD0U-00054l-AC
 for submit <at> debbugs.gnu.org; Mon, 21 Nov 2022 15:03:06 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1oxD0T-0008C3-99
 for guix-patches@HIDDEN; Mon, 21 Nov 2022 15:03:06 -0500
Received: from mail-qt1-x830.google.com ([2607:f8b0:4864:20::830])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1oxD0R-0000Fu-J6
 for guix-patches@HIDDEN; Mon, 21 Nov 2022 15:03:04 -0500
Received: by mail-qt1-x830.google.com with SMTP id c15so7991665qtw.8
 for <guix-patches@HIDDEN>; Mon, 21 Nov 2022 12:03:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=;
 b=BixXm1DQoqqAMbL9QZYfHbe7qbSOdEtIVssVUyafjkhMhb0ELpXhJxksc2VBd7LI2u
 2WYNSdz0JPALoBIuVwCy69OMJMWsNaH6t8TL2cxHrLN9ekdwU0QR7rOpdcv1hZu7dky8
 6FVyMkhG3ZIeUbWzIqajwsDliINBQs9M7xITkhq/5EAINMhsWbiROsVLQ8nxum7VZ4Fb
 1sacOYJHv32Szhta/77Ks/oq/aekG37yVR/ey6en/5/v7nf7cba5Rck8DgP1BZkGOtEr
 lX6hBD/aiMboj/tN89DRsmJPfjMwVvEx0Z1Igk1uzoWhsKu2EowQzi+zPCqNZrq2t7Be
 /lkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=;
 b=fEysoBv2SOgl43f71qCL4dGSO9AmaaWl3zrSW6RuNEQwOZyNTQGTamxgflW//gXP4w
 46B6fKlf94DxptrZD08Pm8Z8LV/4KjG5tHyr6OaxPzoHdVROW6QR4FbiV4FS7BagZDy4
 N1THswwf4YhTo2FGlBPIiUhQ6pYSVnN8zy59CrWxMbEHSFguMpH8wcSW5oX0sYr5fV+2
 KNtYN4N/ywtXV1nLIKsJYkVoc/F8iGhq+rJAws9UTpAR8YqPFg/qepUv8Mx+U+0Tfham
 FwOIvKBLwv3zCGKXeN9/E9tI5k0MJuTF7AC5aiCL6OOxPqfvZVlCGNiHzOM4ipGwuzW5
 swMQ==
X-Gm-Message-State: ANoB5pkznbZhGUOhkoicNIGVV9ajrJhDVCmGiMNLO/6x9wFneRMDCGDB
 d1MQlLoSYbUI4iLuifzQUlGIM7FxHR8=
X-Google-Smtp-Source: AA0mqf7b41wdZ2ZVTnRM6D85qUrJLoqdHgAgZtWp98ttCwJlZh8C/o0WB7+80Z5IVcv5vhTNjQSi2A==
X-Received: by 2002:ac8:4887:0:b0:3a4:5e9e:1bd3 with SMTP id
 i7-20020ac84887000000b003a45e9e1bd3mr2013550qtq.50.1669060981833; 
 Mon, 21 Nov 2022 12:03:01 -0800 (PST)
Received: from localhost.localdomain ([2607:fad8:4:3::1003])
 by smtp.gmail.com with ESMTPSA id
 l15-20020a05620a28cf00b006bb2cd2f6d1sm8726412qkp.127.2022.11.21.12.03.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Nov 2022 12:03:01 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] doc: Add a security keys section to the cookbook.
Date: Mon, 21 Nov 2022 15:02:56 -0500
Message-Id: <20221121200256.2680-1-maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::830;
 envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qt1-x830.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

* doc/guix-cookbook.texi (Top): Register new menu.
(System Configuration): Likewise.
(Using security keys): New section.
---
 doc/guix-cookbook.texi | 59 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index f371364746..7a7877bd00 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,6 +21,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
 Copyright @copyright{} 2020 André Batista@*
 Copyright @copyright{} 2020 Christine Lemmer-Webber@*
 Copyright @copyright{} 2021 Joshua Branson@*
+Copyright @copyright{} 2022 Maxim Cournoyer*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -95,6 +96,7 @@ System Configuration
 * Auto-Login to a Specific TTY::    Automatically Login a User to a Specific TTY
 * Customizing the Kernel::          Creating and using a custom Linux kernel on Guix System.
 * Guix System Image API::           Customizing images to target specific platforms.
+* Using security keys::             How to use security keys with Guix System.
 * Connecting to Wireguard VPN::     Connecting to a Wireguard VPN.
 * Customizing a Window Manager::    Handle customization of a Window manager on Guix System.
 * Running Guix on a Linode Server:: Running Guix on a Linode Server.  Running Guix on a Linode Server
@@ -1380,6 +1382,7 @@ reference.
 * Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY
 * Customizing the Kernel::       Creating and using a custom Linux kernel on Guix System.
 * Guix System Image API::        Customizing images to target specific platforms.
+* Using security keys::          How to use security keys with Guix System.
 * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Running Guix on a Linode Server:: Running Guix on a Linode Server
@@ -1883,6 +1886,62 @@ guix system image --image-type=hurd-qcow2 my-hurd-os.scm
 
 will instead produce a Hurd QEMU image.
 
+@node Using security keys
+@section Using security keys
+@cindex 2FA, two-factor authentication
+@cindex security key, configuration
+
+The use of security keys can improve your security by providing a second
+authentication source that cannot be easily stolen or copied (similar to
+the protection provided by mechanical keys for the door of your home or
+apartment), which reduces the risk of impersonation.
+
+The example configuration detailed below showcases what minimal
+configuration needs to be made on your Guix System to allow the use of a
+Yubico security key.  We hope the configuration can be useful for other
+security keys as well, with minor adjustments.
+
+@subsection Configuration for use as a two-factor authenticator (2FA)
+
+Two be usable, the udev rules of the system should be extended with
+key-specific rules.  The following show how to extend your udev rules
+with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by
+the @code{libfido2} package from the @code{(gnu packages
+security-token)} module and add your user to the @samp{"plugdev"} group
+it uses:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (users (cons* (user-account
+               (name "your-user")
+               (group "users")
+               (supplementary-groups
+		'("wheel" "netdev" "audio" "video"
+                  "plugdev"))           ;<- added system group
+               (home-directory "/home/your-user"))
+              %base-user-accounts))
+ ...
+ (services
+  (cons*
+   ...
+   (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
+@end lisp
+
+After re-configuring your system and re-login to your graphical session,
+you can verify that your key is usable by launching:
+
+@example
+guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
+@end example
+
+and validating that the security key can be reset via the ``Reset your
+security key'' menu.  If it works, congratulations, your security key is
+ready to be used with applications supporting two-factors authentication
+(2FA).
+
 @node Connecting to Wireguard VPN
 @section Connecting to Wireguard VPN
 

base-commit: fe3be8d5e04804dadd84c7a909e1f85fe52080f3
-- 
2.38.1





Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#59454; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 23 Nov 2022 09:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.