dede/ykfde
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add YubiKey login chapter

Browse Source
This commit is contained in:
Sandro Keil
2018-07-24 21:50:46 +02:00
parent bdac650c5e
commit 9107c37794
7 changed files with 101 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@@ -7,6 +7,7 @@ via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:
- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
- Encrypted `/boot` partition
- UEFI Secure boot (self signed boot loader)
- YubiKey authentication for user login
Currently guides for:
@@ -17,11 +18,15 @@ It took me several days to figure out how to set up a fully encrypted machine wi
others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step
guide to get the above things done.
> I guess the entire manual will take between 1 - 3 hours.
## Prerequisites
You should be familiar with linux and should be able to edit files with `vi` [Vi Cheat Sheet](http://www.lagmonster.org/docs/vi.html).
You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
preparing your fully encrypted Linux.
And of cource you will need an [YubiKey](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").
## Documentation
For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation").
@@ -30,15 +35,15 @@ Refer the *Quick Start* section for a detailed explanation.
Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/)
```console
$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown book/bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/doc/html
$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/html
```
or run *bookdown*
```console
$ ./vendor/bin/bookdown book/bookdown.json
$ php -S 0.0.0.0:8080 -t book/html/
$ ./vendor/bin/bookdown bookdown.json
$ php -S 0.0.0.0:8080 -t html/
```
Then browse to [http://localhost:8080/](http://localhost:8080/)

2
book/arch/02-prepare-disk.md
View File

@@ -27,4 +27,4 @@ Format the second partition (replace `[device 2nd partition]` with the 2nd parti
mkfs.fat -F32 /dev/[device 2nd partition]
```
The next chapter describes how to prepare the YubiKey.
Great, one step closer for your fully encrypted system. The next chapter describes how to prepare the YubiKey.

2
book/arch/03-prepare-yubikey.md
View File

@@ -13,7 +13,7 @@ make install
## Prepare 2nd slot
Now it's time to prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled.
Now it's time to prepare the second slot of your YubiKey for the challenge response authentication. Touch will be also enabled.
```
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible

13
book/arch/05-install-arch.md
View File

@@ -24,7 +24,7 @@ Check it out with `cat /mnt/etc/fstab` and verify it.
## YubiKey Full Disk Encryption
Next step is to copy the [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) folder
to the `/mnt` folder because it will be installed later. The YubiKey challenge is stored in a file to make it
available inside the new system. More on that later.
available inside the new system. More on that later. Replace `[Your YubiKey password]` with your YubiKey password.
```
cp -r yubikey-full-disk-encryption /mnt/home/
@@ -33,7 +33,7 @@ echo "export YKFDE_CHALLENGE=$(printf [Your YubiKey password] | sha256sum | awk
Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment.
## Mount run
## Mount run folder
When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`.
That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following
@@ -63,7 +63,7 @@ make install
```
Copy `/home/ykde.conf` to `/etc/ykde.conf` so you have your previous settings or configure the file as described
in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf`
in chapter *Prepare YubiKey*. The YubiKey challenge will now be stored in the `ykde.conf`
file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set
into the `ykde.conf` file with the command `sed`.
@@ -78,7 +78,7 @@ Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with
The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at boot. Open the file with
`vi /etc/mkinitcpio.conf` and replace the *HOOKS* line with the following content.
> Don't add `encrypt` hook, because we ues ykfde !!!
> Don't add `encrypt` hook, because we ues ykfde and respect the order !!!
```
HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde)
@@ -198,4 +198,7 @@ boot parition password to see the GRUB boot menu and after that the YubiKey pass
the root partition.
Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software
to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.
to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.
Now you can setup your Arch Linux e.g. create own user or add additional stuff [en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger).
The next chapter describes how to setup UEFI secure boot. The last piece to bullet proof your full disk encryption.

82
book/arch/07-yubikey-login.md
View File

@@ -1,3 +1,83 @@
# Enable YubiKey Login
TBD
Alright, you have already setup full disk encryption with YubiKey but what good is this if anyone can log in without YubiKey?
This chapter describes how to use the YubiKey for authentication inclusive *sudo*.
> Have you already created a new user? Don't use *root* user here.
## Challenge response authentication setup
You can read more about that in [Local Authentication Using Challenge Response](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html).
Let's install the needed package *yubico-pam*:
```
sudo pacman -S yubico-pam
```
Next step is to set the current user to require the YubiKey for logon with the following commands:
```
mkdir $HOME/.yubico
ykpamcfg -2 -v
```
It is generally a good idea to move the challenge file in a system-wide path that is only read- and writable by root.
> It is important that the file is named with the name of the user that is going to be authenticated by this YubiKey.
```
sudo mkdir /var/yubico
sudo chown root.root /var/yubico
sudo chmod 700 /var/yubico
sudo mv ~/.yubico/challenge-123456 /var/yubico/[username]-123456
sudo chown root.root /var/yubico/[username]-123456
sudo chmod 600 /var/yubico/[username]-123456
```
## Activation
Let's active the YubiKey for logon. For this open the file with `vi /etc/pam.d/system-auth` and add the following line
after the *pam_unix.so* line.
> Please login to another tty in case of something goes wrong so you can deactivate it. Don't forget to become root.
```
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
```
The complete file should look something like this.
```
#%PAM-1.0
auth required pam_unix.so try_first_pass nullok
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
```
## Test it
Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the
YubiKey button. Good luck!
**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
following goals which is really awesome!
- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
- Encrypted `/boot` partition
- UEFI Secure boot (self signed boot loader)
- YubiKey authentication for user login
If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
Also spread the word about this guide so more people can secure their system.

3
book/arch/08-minimal-gnome.md
View File

@@ -1,3 +0,0 @@
# Install minimal GNOME desktop
TBD

3
book/arch/bookdown.json
View File

@@ -7,8 +7,7 @@
{"prepare-volumes": "04-prepare-volumes.md"},
{"install-arch": "05-install-arch.md"},
{"secure-boot": "06-secure-boot.md"},
{"yubikey-login": "07-yubikey-login.md"},
{"minimal-gnome": "08-minimal-gnome.md"}
{"yubikey-login": "07-yubikey-login.md"}
],
"theme": {
"toc": {