From unknown Sat Aug 16 16:17:21 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#59454 <59454@debbugs.gnu.org> To: bug#59454 <59454@debbugs.gnu.org> Subject: Status: [PATCH] doc: Add a security keys section to the cookbook. Reply-To: bug#59454 <59454@debbugs.gnu.org> Date: Sat, 16 Aug 2025 23:17:21 +0000 retitle 59454 [PATCH] doc: Add a security keys section to the cookbook. reassign 59454 guix-patches submitter 59454 Maxim Cournoyer severity 59454 normal tag 59454 patch moreinfo thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 21 15:03:09 2022 Received: (at submit) by debbugs.gnu.org; 21 Nov 2022 20:03:09 +0000 Received: from localhost ([127.0.0.1]:48906 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxD0W-00054t-QI for submit@debbugs.gnu.org; Mon, 21 Nov 2022 15:03:09 -0500 Received: from lists.gnu.org ([209.51.188.17]:52770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxD0U-00054l-AC for submit@debbugs.gnu.org; Mon, 21 Nov 2022 15:03:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oxD0T-0008C3-99 for guix-patches@gnu.org; Mon, 21 Nov 2022 15:03:06 -0500 Received: from mail-qt1-x830.google.com ([2607:f8b0:4864:20::830]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oxD0R-0000Fu-J6 for guix-patches@gnu.org; Mon, 21 Nov 2022 15:03:04 -0500 Received: by mail-qt1-x830.google.com with SMTP id c15so7991665qtw.8 for ; Mon, 21 Nov 2022 12:03:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=; b=BixXm1DQoqqAMbL9QZYfHbe7qbSOdEtIVssVUyafjkhMhb0ELpXhJxksc2VBd7LI2u 2WYNSdz0JPALoBIuVwCy69OMJMWsNaH6t8TL2cxHrLN9ekdwU0QR7rOpdcv1hZu7dky8 6FVyMkhG3ZIeUbWzIqajwsDliINBQs9M7xITkhq/5EAINMhsWbiROsVLQ8nxum7VZ4Fb 1sacOYJHv32Szhta/77Ks/oq/aekG37yVR/ey6en/5/v7nf7cba5Rck8DgP1BZkGOtEr lX6hBD/aiMboj/tN89DRsmJPfjMwVvEx0Z1Igk1uzoWhsKu2EowQzi+zPCqNZrq2t7Be /lkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=swrXgcBH1Z/Cpfzj1urcpl49FewbSavXtVqoyFHW3x8=; b=fEysoBv2SOgl43f71qCL4dGSO9AmaaWl3zrSW6RuNEQwOZyNTQGTamxgflW//gXP4w 46B6fKlf94DxptrZD08Pm8Z8LV/4KjG5tHyr6OaxPzoHdVROW6QR4FbiV4FS7BagZDy4 N1THswwf4YhTo2FGlBPIiUhQ6pYSVnN8zy59CrWxMbEHSFguMpH8wcSW5oX0sYr5fV+2 KNtYN4N/ywtXV1nLIKsJYkVoc/F8iGhq+rJAws9UTpAR8YqPFg/qepUv8Mx+U+0Tfham FwOIvKBLwv3zCGKXeN9/E9tI5k0MJuTF7AC5aiCL6OOxPqfvZVlCGNiHzOM4ipGwuzW5 swMQ== X-Gm-Message-State: ANoB5pkznbZhGUOhkoicNIGVV9ajrJhDVCmGiMNLO/6x9wFneRMDCGDB d1MQlLoSYbUI4iLuifzQUlGIM7FxHR8= X-Google-Smtp-Source: AA0mqf7b41wdZ2ZVTnRM6D85qUrJLoqdHgAgZtWp98ttCwJlZh8C/o0WB7+80Z5IVcv5vhTNjQSi2A== X-Received: by 2002:ac8:4887:0:b0:3a4:5e9e:1bd3 with SMTP id i7-20020ac84887000000b003a45e9e1bd3mr2013550qtq.50.1669060981833; Mon, 21 Nov 2022 12:03:01 -0800 (PST) Received: from localhost.localdomain ([2607:fad8:4:3::1003]) by smtp.gmail.com with ESMTPSA id l15-20020a05620a28cf00b006bb2cd2f6d1sm8726412qkp.127.2022.11.21.12.03.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Nov 2022 12:03:01 -0800 (PST) From: Maxim Cournoyer To: guix-patches@gnu.org Subject: [PATCH] doc: Add a security keys section to the cookbook. Date: Mon, 21 Nov 2022 15:02:56 -0500 Message-Id: <20221121200256.2680-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::830; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x830.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * doc/guix-cookbook.texi (Top): Register new menu. (System Configuration): Likewise. (Using security keys): New section. --- doc/guix-cookbook.texi | 59 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index f371364746..7a7877bd00 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -21,6 +21,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@* Copyright @copyright{} 2020 André Batista@* Copyright @copyright{} 2020 Christine Lemmer-Webber@* Copyright @copyright{} 2021 Joshua Branson@* +Copyright @copyright{} 2022 Maxim Cournoyer* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -95,6 +96,7 @@ System Configuration * Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System. * Guix System Image API:: Customizing images to target specific platforms. +* Using security keys:: How to use security keys with Guix System. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Running Guix on a Linode Server:: Running Guix on a Linode Server. Running Guix on a Linode Server @@ -1380,6 +1382,7 @@ reference. * Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY * Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System. * Guix System Image API:: Customizing images to target specific platforms. +* Using security keys:: How to use security keys with Guix System. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Running Guix on a Linode Server:: Running Guix on a Linode Server @@ -1883,6 +1886,62 @@ guix system image --image-type=hurd-qcow2 my-hurd-os.scm will instead produce a Hurd QEMU image. +@node Using security keys +@section Using security keys +@cindex 2FA, two-factor authentication +@cindex security key, configuration + +The use of security keys can improve your security by providing a second +authentication source that cannot be easily stolen or copied (similar to +the protection provided by mechanical keys for the door of your home or +apartment), which reduces the risk of impersonation. + +The example configuration detailed below showcases what minimal +configuration needs to be made on your Guix System to allow the use of a +Yubico security key. We hope the configuration can be useful for other +security keys as well, with minor adjustments. + +@subsection Configuration for use as a two-factor authenticator (2FA) + +Two be usable, the udev rules of the system should be extended with +key-specific rules. The following show how to extend your udev rules +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by +the @code{libfido2} package from the @code{(gnu packages +security-token)} module and add your user to the @samp{"plugdev"} group +it uses: + +@lisp +(use-package-modules ... security-token ...) +... +(operating-system + ... + (users (cons* (user-account + (name "your-user") + (group "users") + (supplementary-groups + '("wheel" "netdev" "audio" "video" + "plugdev")) ;<- added system group + (home-directory "/home/your-user")) + %base-user-accounts)) + ... + (services + (cons* + ... + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) +@end lisp + +After re-configuring your system and re-login to your graphical session, +you can verify that your key is usable by launching: + +@example +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys +@end example + +and validating that the security key can be reset via the ``Reset your +security key'' menu. If it works, congratulations, your security key is +ready to be used with applications supporting two-factors authentication +(2FA). + @node Connecting to Wireguard VPN @section Connecting to Wireguard VPN base-commit: fe3be8d5e04804dadd84c7a909e1f85fe52080f3 -- 2.38.1 From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 22 23:12:04 2022 Received: (at 59454) by debbugs.gnu.org; 23 Nov 2022 04:12:04 +0000 Received: from localhost ([127.0.0.1]:53153 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxh7D-0000xC-IR for submit@debbugs.gnu.org; Tue, 22 Nov 2022 23:12:03 -0500 Received: from mail-4322.protonmail.ch ([185.70.43.22]:16775) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxh77-0000we-Uf for 59454@debbugs.gnu.org; Tue, 22 Nov 2022 23:12:02 -0500 Date: Wed, 23 Nov 2022 04:11:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1669176711; x=1669435911; bh=zKuoYa9xkwRop/j0a2OMbhCngwh3UgOFbi5U89BdtOo=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=PkuPAT3uw4Jl2VIBJdqWt9RBaK+AEub3Oc6NjT3YnFfL01s/0Gvu2+I0VoN9erwxG 44RDl9DiNWUfH+gFOarjeSSnCritlotd1y1OI/9OM56gFV9JXoD7Zpzg1yArf5Rb4+ rahVQOt3ErKhcgzSCvuwGBPkmEgezkvex8Nutsa663R6mhRpogYzxFL2FvaCJ8itKw 5tCStf4YQR+mmbnC8WWaCFw0RnkwYeoPQkbwF3uitPlvsHpSJNMzwgE47ulYr0oQ9b +3/0rLCy2Q3qtLkQGDpLLFc2/dE3M+OB2UgglSOnQAMSCtARQxJjw9Ao9jim0C578k J4wE9ak3WxM9w== To: 59454@debbugs.gnu.org, Maxim Cournoyer From: John Kehayias Subject: Re: [PATCH] doc: Add a security keys section to the cookbook. Message-ID: <877czmfgy5.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 59454 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim, Thanks for this addition, I think it will definitely be useful to many peop= le. Overall it looks good, a few minor notes on the text after I add some o= f my confusion to the udev rules question. For the udev rules, I tried without the plugdev group and it seemed like ev= erything worked for me (though note I also use the pcscd service). In the p= ast, I've had the plugdev group for the udev rules but not my user. I'm not= sure why that is, perhaps the "uaccess" part of the rules? (I don't know m= uch about this at all.) However, I did get system log messages "udevd[258]:= specified group 'plugdev' unknown" which I'm guessing is due to me leaving= that out of the udev rules service. I'm not sure how we want to handle that in this documentation. I wouldn't b= e surprised if something does need the user to be in the plugdev group, I j= ust haven't encountered it. Perhaps then keep it as is to be on the safe si= de since I can't think of a clear downside other than having one more group= ? To add a little more confusion, on my Arch system I see no such udev rules.= The only one I have for a Yubikey is from the equivalent of our yubikey-pe= rsonalization package and which doesn't have any match for my particular Yu= bikey. But everything works there as well. Anyway, likely some other detail= s there (some general rules for security keys?), just thought I'd mention t= hat. A few minor notes on the text now: > +The use of security keys can improve your security by providing a second > +authentication source that cannot be easily stolen or copied (similar to > +the protection provided by mechanical keys for the door of your home or > +apartment), which reduces the risk of impersonation. > + Not to get into the weeds here, but maybe we can use the "standard" this is= the "something you have" part of multi-factor authentication (the "one you= know" being a password, of course). Also, should we use the keyword Universal 2nd Factor (U2F) standard somewhe= re? I believe this is the setup we need for that, but don't quote me on tha= t. > +The example configuration detailed below showcases what minimal > +configuration needs to be made on your Guix System to allow the use of a > +Yubico security key. We hope the configuration can be useful for other > +security keys as well, with minor adjustments. > + Super minor: do we use the "we" form much in the manual, at least in the sy= stem reference parts? > +@subsection Configuration for use as a two-factor authenticator (2FA) > + > +Two be usable, the udev rules of the system should be extended with > +key-specific rules. The following show how to extend your udev rules > +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by > +the @code{libfido2} package from the @code{(gnu packages > +security-token)} module and add your user to the @samp{"plugdev"} group > +it uses: > + Minor typos: "Two" -> "To", "show" -> "shows"; comment above for "you" here= . > +@lisp > +(use-package-modules ... security-token ...) > +... > +(operating-system > + ... > + (users (cons* (user-account > + (name "your-user") > + (group "users") > + (supplementary-groups > +=09=09'("wheel" "netdev" "audio" "video" > + "plugdev")) ;<- added system group > + (home-directory "/home/your-user")) > + %base-user-accounts)) > + ... > + (services > + (cons* > + ... > + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) > +@end lisp > + > +After re-configuring your system and re-login to your graphical session, > +you can verify that your key is usable by launching: > + Minor: "re-login" probably should be "re-logging in" maybe? I'm guessing logging in again is needed due to the group change? (Otherwise= we have the nice change you made so that udev rules get picked up automati= cally, right?) > +@example > +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys > +@end example > + Perhaps a simple website for testing u2f that works in other browsers? Sorr= y, don't have any off the top of my head, just wondering (as I don't normal= ly use chromium). > +and validating that the security key can be reset via the ``Reset your > +security key'' menu. If it works, congratulations, your security key is > +ready to be used with applications supporting two-factors authentication > +(2FA). Not familiar with the chromium settings here, is there something less poten= tially drastic to check? I didn't dare touch that as my security key is alr= eady set up (private keys backed up of course, but still). Sorry for some of the more nitpick-y text things, probably reading and grad= ing too many papers recently :) Overall will be a nice addition, thanks! John From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 23 04:25:29 2022 Received: (at control) by debbugs.gnu.org; 23 Nov 2022 09:25:29 +0000 Received: from localhost ([127.0.0.1]:53655 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxm0X-0002lr-Hq for submit@debbugs.gnu.org; Wed, 23 Nov 2022 04:25:29 -0500 Received: from mira.cbaines.net ([212.71.252.8]:41960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxm0V-0002lj-M9 for control@debbugs.gnu.org; Wed, 23 Nov 2022 04:25:28 -0500 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:54d1:d5d4:280e:f699]) by mira.cbaines.net (Postfix) with ESMTPSA id 2B64927BBEC for ; Wed, 23 Nov 2022 09:25:27 +0000 (GMT) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id d583fbeb for ; Wed, 23 Nov 2022 09:25:26 +0000 (UTC) From: Christopher Baines To: control@debbugs.gnu.org Subject: tag 59454 moreinfo Date: Wed, 23 Nov 2022 09:25:26 +0000 Message-ID: <87h6yq10qh.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 59454 + moreinfo quit From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 23 05:27:15 2022 Received: (at 59454) by debbugs.gnu.org; 23 Nov 2022 10:27:15 +0000 Received: from localhost ([127.0.0.1]:53780 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxmyI-0006eo-Tb for submit@debbugs.gnu.org; Wed, 23 Nov 2022 05:27:15 -0500 Received: from mail-wr1-f41.google.com ([209.85.221.41]:44894) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxmyD-0006eR-NC for 59454@debbugs.gnu.org; Wed, 23 Nov 2022 05:27:13 -0500 Received: by mail-wr1-f41.google.com with SMTP id v1so28639966wrt.11 for <59454@debbugs.gnu.org>; Wed, 23 Nov 2022 02:27:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=tbX014ZgQWIvS7wuCRo+tSuF4JcivLExjfTNMkpkXEM=; b=NwVdEIpmnBnVwWgs+Qr5ORfSvya8crOg3h2ItKWUdXX0aF10AvGeX9T+I+Hkdz/25G tkzKMtmi8I7CIzw/Yl98Yz8HUtQFN4Fr+xJaZ1KQIfACJ7D4NPSXN3Qh1s3/kJOpWGsP MubNWizDu/BzN8AgH+I1eCSIApdrFsdskr5nyWZNzPNqI0ueLYC38JVJOj32ETY3t3hf PtVJ2a4U0rIQG2LuDR57yK3X834x6XiRrlQi1izS/QDSNkBJYnic6iKKiwVosIOtpSzd Rc8s+ul85VuIQyEQHlfCRw7kwBedshpCWL5g5GqnwCZ2wb1WnRGHGvOxQKhtAZYGLLdT gXxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tbX014ZgQWIvS7wuCRo+tSuF4JcivLExjfTNMkpkXEM=; b=O0bFiK8MqLWgpyIRpX34iEAoyJFc3u2KX6RkPmC9qcWyY1WIibCa17e7d+0RLqq4PQ kpuhfhWpBl8+RCQiOviJZf0TTf+I7Q99CO9bBn1FKJbAEAb03P3Eu9SXv6mEdJUtmT1l 2/Rw0D0BxZIMvwXJ+ZkBI0pvIrd5YVtnF9XYU3irLH7VZtBtDl4xVnNtotV35lCk2BqX n8DgdR+4X3ESffudWHB6PnZcs649bub7zqVnsxdKhJ8+TKVCdxUXT7epimVcfTkdTDPG Pe6fKaWYaZaJnoBfnAmGR/hvJ14r0j1FtHWdDEVphN9IVMMr2UJWlzUcBwSzBfI/slya jKmQ== X-Gm-Message-State: ANoB5pl2Ha7yhckumWOh7IBo8CWZi1lRasBZT36aqd+6YaFoFOKtWfOQ 7lygxAk1bn5RA/cI3X3B1e8= X-Google-Smtp-Source: AA0mqf7zVVssdGr1oQaii77ngOJZpzk52DvI9H/pQ7PNQng8xpKA8JCa2V+SfgVvhX69q4FeGJ8oyw== X-Received: by 2002:adf:dcc5:0:b0:236:2f7f:4c42 with SMTP id x5-20020adfdcc5000000b002362f7f4c42mr7271723wrm.479.1669199223540; Wed, 23 Nov 2022 02:27:03 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id p11-20020a05600c468b00b003cfd10a33afsm1902450wmo.11.2022.11.23.02.27.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 02:27:03 -0800 (PST) From: zimoun To: Maxim Cournoyer , 59454@debbugs.gnu.org Subject: Re: [bug#59454] [PATCH] doc: Add a security keys section to the cookbook. In-Reply-To: <20221121200256.2680-1-maxim.cournoyer@gmail.com> References: <20221121200256.2680-1-maxim.cournoyer@gmail.com> Date: Tue, 22 Nov 2022 16:44:36 +0100 Message-ID: <86h6yrc7tn.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.8 (/) X-Debbugs-Envelope-To: 59454 Cc: Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) Hi, On Mon, 21 Nov 2022 at 15:02, Maxim Cournoyer wrote: > * doc/guix-cookbook.texi (Top): Register new menu. > (System Configuration): Likewise. > (Using security keys): New section. > --- > doc/guix-cookbook.texi | 59 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 59 insertions(+) Neat! LGTM. Cheers, simon From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 25 10:37:13 2022 Received: (at 59454-done) by debbugs.gnu.org; 25 Nov 2022 15:37:13 +0000 Received: from localhost ([127.0.0.1]:36956 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyalM-0005Ny-HI for submit@debbugs.gnu.org; Fri, 25 Nov 2022 10:37:13 -0500 Received: from mail-qv1-f44.google.com ([209.85.219.44]:41879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyalL-0005Nk-3O for 59454-done@debbugs.gnu.org; Fri, 25 Nov 2022 10:37:11 -0500 Received: by mail-qv1-f44.google.com with SMTP id d13so2872657qvj.8 for <59454-done@debbugs.gnu.org>; Fri, 25 Nov 2022 07:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=QrFpnik2F4qlFvBYQjIjoXiaSOU/i7Ql1kurwiDeG0k=; b=m6z3k6yXa2Q9bnDy9uldpYTIvbJD19kCMI/g0OyHukb0tmiTZ5Uwc3Pi/9dWIxnVeT xfLmMTjPlOZWVtb7vlqUdz+5teJ9tjY+GY7jxcBQoMQZ6/fA5fthwtXxtp7zfYBOukaS U7Pm3+v4ljff2sC9O+uP/Kh/MEDdljXBeNr1SmzFbtrqgNpel2qMpobnVRi7VKEvhHyh FXNEh9SIqKAZDWT8s9QqTyUM5IQNuzp9uVxRYv4blkTImC+AgtBVEmd3M69Z2Y0b47ID o0cFPUW1Pg/S6gw/Hf8o3+Wvasohs3eerSPBE6VON3FwgUOAeBlVNI7becJgw7l7a1f8 9bpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=QrFpnik2F4qlFvBYQjIjoXiaSOU/i7Ql1kurwiDeG0k=; b=m0InkAPhP0ZsSjKyuc2X4+YvVAbvZ6HJgBCtw28JPDyUItbREPl4Q+giLuZwE3XJdo aGvPeQaDhLiWZtnB0L/lIbHm0ZIfeJegTPkzClceCzB42B9LWRUbmkJrqtuuXHNSovpQ 9qD+FrH8fpjl0VYCc5InZ8XDK/pTM4bgVqUVfL+qO02Zr1+izfEKVe7D4CMFmGsWCMV3 4uUsKHIShMotBmgJW3nPz7bqMYdIxGJgz6gsbCgxm+wb9oRGBn079STUy6DO/6fKaftI 9U80wJ2X2JkL4FNvDcIjDJe6fZzmoIpS3PcvKRq66Vgb5AdH2SI0kFOTJFNCvIiEkUP5 xBpg== X-Gm-Message-State: ANoB5pmOUNWDDKSeQPuJiUA5I8wd7Fq0F1CTkA6kzLfOeGDPIRzKMQ2W SVUVG+MNKbtDYxm4et8jW0py4uXcdOqx6A== X-Google-Smtp-Source: AA0mqf41cIdugkvZVdIGd6SC3GmnK6WaizxvNXiXd24j0xT+HhOgBlkxxa0tUVXAFcDDh/z92Bxf0w== X-Received: by 2002:a05:6214:3881:b0:4bb:4ab2:5130 with SMTP id nq1-20020a056214388100b004bb4ab25130mr17497964qvb.29.1669390625324; Fri, 25 Nov 2022 07:37:05 -0800 (PST) Received: from hurd ([2607:fad8:4:3::1003]) by smtp.gmail.com with ESMTPSA id v12-20020a05620a440c00b006fc2b672950sm2956693qkp.37.2022.11.25.07.37.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:37:04 -0800 (PST) From: Maxim Cournoyer To: John Kehayias Subject: Re: [PATCH] doc: Add a security keys section to the cookbook. References: <877czmfgy5.fsf@protonmail.com> Date: Fri, 25 Nov 2022 10:37:04 -0500 In-Reply-To: <877czmfgy5.fsf@protonmail.com> (John Kehayias's message of "Wed, 23 Nov 2022 04:11:40 +0000") Message-ID: <87lenzjba7.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 59454-done Cc: 59454-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi John, John Kehayias writes: > Hi Maxim, > > Thanks for this addition, I think it will definitely be useful to many > people. Overall it looks good, a few minor notes on the text after I > add some of my confusion to the udev rules question. Thanks! > For the udev rules, I tried without the plugdev group and it seemed > like everything worked for me (though note I also use the pcscd > service). In the past, I've had the plugdev group for the udev rules > but not my user. I'm not sure why that is, perhaps the "uaccess" part > of the rules? (I don't know much about this at all.) However, I did > get system log messages "udevd[258]: specified group 'plugdev' > unknown" which I'm guessing is due to me leaving that out of the udev > rules service. [...] I think it may well be required for some use cases; if you grep the libfido2 package for "plugdev", you'll find plenty references in the 70-u2f.rules file like: --8<---------------cut here---------------start------------->8--- /gnu/store/vy2pry1q2b1hhibsq4qchnr0v2xyah0r-libfido2-1.12.0/lib/udev/rules.d/70-u2f.rules:226:KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="a6e9", TAG+="uaccess", GROUP="plugdev", MODE="0660" --8<---------------cut here---------------end--------------->8--- > A few minor notes on the text now: > >> +The use of security keys can improve your security by providing a second >> +authentication source that cannot be easily stolen or copied (similar to >> +the protection provided by mechanical keys for the door of your home or >> +apartment), which reduces the risk of impersonation. >> + > > Not to get into the weeds here, but maybe we can use the "standard" > this is the "something you have" part of multi-factor authentication > (the "one you know" being a password, of course). I removed the door keys/locks example and rephrased it like: --8<---------------cut here---------------start------------->8--- The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase -- something that you know), reducing the risk of impersonation. --8<---------------cut here---------------end--------------->8--- I hope that's a bit better. > Also, should we use the keyword Universal 2nd Factor (U2F) standard > somewhere? I believe this is the setup we need for that, but don't > quote me on that. I plugged that in the context indices: @cindex U2F, Universal 2nd Factor >> +The example configuration detailed below showcases what minimal >> +configuration needs to be made on your Guix System to allow the use of a >> +Yubico security key. We hope the configuration can be useful for other >> +security keys as well, with minor adjustments. >> + > > Super minor: do we use the "we" form much in the manual, at least in the system reference parts? I think we try to refrain from doing so indeed, although the cookbook feels a lot less formal to me than the reference manual. I've adjusted to use 'It is hoped [...]'. >> +@subsection Configuration for use as a two-factor authenticator (2FA) >> + >> +Two be usable, the udev rules of the system should be extended with >> +key-specific rules. The following show how to extend your udev rules >> +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by >> +the @code{libfido2} package from the @code{(gnu packages >> +security-token)} module and add your user to the @samp{"plugdev"} group >> +it uses: >> + > > Minor typos: "Two" -> "To", "show" -> "shows"; comment above for "you" here. Oof, thanks for catching these. I think it's fine to address the reader as "you". >> +@lisp >> +(use-package-modules ... security-token ...) >> +... >> +(operating-system >> + ... >> + (users (cons* (user-account >> + (name "your-user") >> + (group "users") >> + (supplementary-groups >> + '("wheel" "netdev" "audio" "video" >> + "plugdev")) ;<- added system group >> + (home-directory "/home/your-user")) >> + %base-user-accounts)) >> + ... >> + (services >> + (cons* >> + ... >> + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) >> +@end lisp >> + >> +After re-configuring your system and re-login to your graphical session, >> +you can verify that your key is usable by launching: >> + > > Minor: "re-login" probably should be "re-logging in" maybe? I think so :-). > I'm guessing logging in again is needed due to the group change? > (Otherwise we have the nice change you made so that udev rules get > picked up automatically, right?) Yes. I clarified this a bit. >> +@example >> +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys >> +@end example >> + > > Perhaps a simple website for testing u2f that works in other browsers? > Sorry, don't have any off the top of my head, just wondering (as I > don't normally use chromium). Problems with websites is that they typically use nonfree JavaScript. I don't know of a smaller local tool to demo security keys unfortunately; it'd be nice to have one! >> +and validating that the security key can be reset via the ``Reset your >> +security key'' menu. If it works, congratulations, your security key is >> +ready to be used with applications supporting two-factors authentication >> +(2FA). > > Not familiar with the chromium settings here, is there something less > potentially drastic to check? I didn't dare touch that as my security > key is already set up (private keys backed up of course, but still). I'm not sure. I feel the resetting of the key should only affect the operation of Chromium rather than like erase your secrets off your key, but don't take my word for it, it's just a guest. > Sorry for some of the more nitpick-y text things, probably reading and > grading too many papers recently :) Overall will be a nice addition, > thanks! Thanks a lot for going through it! It sure came out better. Now pushed! -- Thanks, Maxim From unknown Sat Aug 16 16:17:21 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 24 Dec 2022 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator