GNU bug report logs -
#64882
[PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64882 in the body.
You can then email your comments to 64882 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Wed, 26 Jul 2023 19:59:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 26 Jul 2023 19:59:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
---
doc/guix-cookbook.texi | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..8f2cb2369e 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2022,6 +2022,18 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Thu, 27 Jul 2023 18:05:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 64882 <at> debbugs.gnu.org (full text, mbox):
Hi Maxim,
On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:
> * doc/guix-cookbook.texi (Using security keys)
> <Disabling OTP code generation for a Yubikey>: New subsection.
> ---
> doc/guix-cookbook.texi | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e58c6c795..8f2cb2369e 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -2022,6 +2022,18 @@ Using security keys
> ready to be used with applications supporting two-factor authentication
> (2FA).
>
> +@subsection Disabling OTP code generation for a Yubikey
> +@cindex disabling yubikey OTP
> +If you use a Yubikey security key and are irritated by the spurious OTP
> +codes it generates when inadvertently touching the key (e.g. causing you
> +to become a spammer in the @samp{#guix} channel when discussing from
> +your favorite IRC client!), you can disable it via the following
> +@command{ykman} command:
> +
> +@example
> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
> +@end example
> +
> @node Connecting to Wireguard VPN
> @section Connecting to Wireguard VPN
>
>
> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
I'm not necessarily against it, but this seems only related to yubikey
management in general (on Linux), rather than anything specific to Guix.
Of course, 'guix shell' is a handy way to do this, I just don't know if
this is needed in the cookbook. Then again, I guess the cookbook is a
way to build up associated knowledge for Guix, which won't be included
directly in the manual.
Otherwise, LGTM, but a user should be aware if they are using/needed OTP
before disabling it.
John
Information forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Thu, 27 Jul 2023 19:26:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 64882 <at> debbugs.gnu.org (full text, mbox):
Hi John,
John Kehayias <john.kehayias <at> protonmail.com> writes:
> Hi Maxim,
>
> On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:
>
>> * doc/guix-cookbook.texi (Using security keys)
>> <Disabling OTP code generation for a Yubikey>: New subsection.
>> ---
>> doc/guix-cookbook.texi | 12 ++++++++++++
>> 1 file changed, 12 insertions(+)
>>
>> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
>> index 2e58c6c795..8f2cb2369e 100644
>> --- a/doc/guix-cookbook.texi
>> +++ b/doc/guix-cookbook.texi
>> @@ -2022,6 +2022,18 @@ Using security keys
>> ready to be used with applications supporting two-factor authentication
>> (2FA).
>>
>> +@subsection Disabling OTP code generation for a Yubikey
>> +@cindex disabling yubikey OTP
>> +If you use a Yubikey security key and are irritated by the spurious OTP
>> +codes it generates when inadvertently touching the key (e.g. causing you
>> +to become a spammer in the @samp{#guix} channel when discussing from
>> +your favorite IRC client!), you can disable it via the following
>> +@command{ykman} command:
>> +
>> +@example
>> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
>> +@end example
>> +
>> @node Connecting to Wireguard VPN
>> @section Connecting to Wireguard VPN
>>
>>
>> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
>
> I'm not necessarily against it, but this seems only related to yubikey
> management in general (on Linux), rather than anything specific to Guix.
> Of course, 'guix shell' is a handy way to do this, I just don't know if
> this is needed in the cookbook. Then again, I guess the cookbook is a
> way to build up associated knowledge for Guix, which won't be included
> directly in the manual.
You are right that it's not specifically related to Guix, but I expects
users going through setuping a Yubikey on Guix to want to know how to do
that (I spent months spamming #guix with OTP codes before Ricardo shared
that tip with me, so it was not easy to discover). The Cookbook as I
understand it is a loose collection of knowledge of how to do things
using Guix, and is distinct from the user manual.
> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
> before disabling it.
I'm not sure when OTP is useful; it's not useful for the current use
case I'm using my Yubikey (which is currently the two-factor
authentication on web sites).
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Thu, 27 Jul 2023 19:48:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 64882 <at> debbugs.gnu.org (full text, mbox):
Hi Maxim,
On Thu, Jul 27, 2023 at 03:25 PM, Maxim Cournoyer wrote:
> Hi John,
>
> John Kehayias <john.kehayias <at> protonmail.com> writes:
>
>> I'm not necessarily against it, but this seems only related to yubikey
>> management in general (on Linux), rather than anything specific to Guix.
>> Of course, 'guix shell' is a handy way to do this, I just don't know if
>> this is needed in the cookbook. Then again, I guess the cookbook is a
>> way to build up associated knowledge for Guix, which won't be included
>> directly in the manual.
>
> You are right that it's not specifically related to Guix, but I expects
> users going through setuping a Yubikey on Guix to want to know how to do
> that (I spent months spamming #guix with OTP codes before Ricardo shared
> that tip with me, so it was not easy to discover). The Cookbook as I
> understand it is a loose collection of knowledge of how to do things
> using Guix, and is distinct from the user manual.
>
Sure. I'm not opposed, just wanted to make sure I was clear(ish) on
what goes in there. I'm all for collecting more information to help
out Guix users.
>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>> before disabling it.
>
> I'm not sure when OTP is useful; it's not useful for the current use
> case I'm using my Yubikey (which is currently the two-factor
> authentication on web sites).
I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
info' to see. I use it as my smart card essentially (as the keys for
passwords, SSH, signing commits, etc.) as well as two-factor codes.
I found this <https://www.yubico.com/resources/glossary/yubico-otp/>
about OTP. If I remember now, it is a service that some sites will use
to use your Yubikey for authentication, as I think LastPass had
support for (I no longer use that). I think U2F is more ubiquitous and
used more now anyway. But it is enabled by default and I would guess
many people don't use it.
John
Information forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Tue, 08 Aug 2023 14:48:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 64882 <at> debbugs.gnu.org (full text, mbox):
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
Series-to: 64882 <at> debbugs.gnu.org
Series-version: 2
Series-changes: 2
- Mention alternative using the graphical yubikey-manager-qt application
---
doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#64882; Package
guix-patches.
(Tue, 08 Aug 2023 14:51:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 64882 <at> debbugs.gnu.org (full text, mbox):
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
---
Changes in v2:
- Mention alternative using the graphical yubikey-manager-qt application
doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Thu, 17 Aug 2023 04:06:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer.
(Thu, 17 Aug 2023 04:06:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 64882-done <at> debbugs.gnu.org (full text, mbox):
Hi!
John Kehayias <john.kehayias <at> protonmail.com> writes:
[...]
>>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>>> before disabling it.
>>
>> I'm not sure when OTP is useful; it's not useful for the current use
>> case I'm using my Yubikey (which is currently the two-factor
>> authentication on web sites).
>
> I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
> info' to see. I use it as my smart card essentially (as the keys for
> passwords, SSH, signing commits, etc.) as well as two-factor codes.
>
> I found this <https://www.yubico.com/resources/glossary/yubico-otp/>
> about OTP. If I remember now, it is a service that some sites will use
> to use your Yubikey for authentication, as I think LastPass had
> support for (I no longer use that). I think U2F is more ubiquitous and
> used more now anyway. But it is enabled by default and I would guess
> many people don't use it.
The yubikey-manager-qt package has since been added, providing a GUI to
do the same, so I've expound the how-to with it, and installed the change.
Thanks for the review!
--
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 14 Sep 2023 11:24:14 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 281 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.