From 9107c377948000157ea1c46d36d24b7b6a64df7d Mon Sep 17 00:00:00 2001 From: Sandro Keil Date: Tue, 24 Jul 2018 21:50:46 +0200 Subject: [PATCH] Add YubiKey login chapter --- README.md | 13 ++++-- book/arch/02-prepare-disk.md | 2 +- book/arch/03-prepare-yubikey.md | 2 +- book/arch/05-install-arch.md | 13 ++++-- book/arch/07-yubikey-login.md | 82 ++++++++++++++++++++++++++++++++- book/arch/08-minimal-gnome.md | 3 -- book/arch/bookdown.json | 3 +- 7 files changed, 101 insertions(+), 17 deletions(-) delete mode 100644 book/arch/08-minimal-gnome.md diff --git a/README.md b/README.md index 190bb3e..1c6785e 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains: - YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions - Encrypted `/boot` partition - UEFI Secure boot (self signed boot loader) +- YubiKey authentication for user login Currently guides for: @@ -17,11 +18,15 @@ It took me several days to figure out how to set up a fully encrypted machine wi others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step guide to get the above things done. +> I guess the entire manual will take between 1 - 3 hours. + ## Prerequisites You should be familiar with linux and should be able to edit files with `vi` [Vi Cheat Sheet](http://www.lagmonster.org/docs/vi.html). You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while preparing your fully encrypted Linux. +And of cource you will need an [YubiKey](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys"). + ## Documentation For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation"). @@ -30,15 +35,15 @@ Refer the *Quick Start* section for a detailed explanation. Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/) ```console -$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown book/bookdown.json -$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/doc/html +$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json +$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/html ``` or run *bookdown* ```console -$ ./vendor/bin/bookdown book/bookdown.json -$ php -S 0.0.0.0:8080 -t book/html/ +$ ./vendor/bin/bookdown bookdown.json +$ php -S 0.0.0.0:8080 -t html/ ``` Then browse to [http://localhost:8080/](http://localhost:8080/) diff --git a/book/arch/02-prepare-disk.md b/book/arch/02-prepare-disk.md index bc5fbf2..cbc18b8 100644 --- a/book/arch/02-prepare-disk.md +++ b/book/arch/02-prepare-disk.md @@ -27,4 +27,4 @@ Format the second partition (replace `[device 2nd partition]` with the 2nd parti mkfs.fat -F32 /dev/[device 2nd partition] ``` -The next chapter describes how to prepare the YubiKey. +Great, one step closer for your fully encrypted system. The next chapter describes how to prepare the YubiKey. diff --git a/book/arch/03-prepare-yubikey.md b/book/arch/03-prepare-yubikey.md index 19a6f87..1d33f91 100644 --- a/book/arch/03-prepare-yubikey.md +++ b/book/arch/03-prepare-yubikey.md @@ -13,7 +13,7 @@ make install ## Prepare 2nd slot -Now it's time to prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled. +Now it's time to prepare the second slot of your YubiKey for the challenge response authentication. Touch will be also enabled. ``` ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible diff --git a/book/arch/05-install-arch.md b/book/arch/05-install-arch.md index 833aed5..dd5c71a 100644 --- a/book/arch/05-install-arch.md +++ b/book/arch/05-install-arch.md @@ -24,7 +24,7 @@ Check it out with `cat /mnt/etc/fstab` and verify it. ## YubiKey Full Disk Encryption Next step is to copy the [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) folder to the `/mnt` folder because it will be installed later. The YubiKey challenge is stored in a file to make it -available inside the new system. More on that later. +available inside the new system. More on that later. Replace `[Your YubiKey password]` with your YubiKey password. ``` cp -r yubikey-full-disk-encryption /mnt/home/ @@ -33,7 +33,7 @@ echo "export YKFDE_CHALLENGE=$(printf [Your YubiKey password] | sha256sum | awk Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment. -## Mount run +## Mount run folder When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`. That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following @@ -63,7 +63,7 @@ make install ``` Copy `/home/ykde.conf` to `/etc/ykde.conf` so you have your previous settings or configure the file as described -in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf` +in chapter *Prepare YubiKey*. The YubiKey challenge will now be stored in the `ykde.conf` file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set into the `ykde.conf` file with the command `sed`. @@ -78,7 +78,7 @@ Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at boot. Open the file with `vi /etc/mkinitcpio.conf` and replace the *HOOKS* line with the following content. -> Don't add `encrypt` hook, because we ues ykfde !!! +> Don't add `encrypt` hook, because we ues ykfde and respect the order !!! ``` HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde) @@ -198,4 +198,7 @@ boot parition password to see the GRUB boot menu and after that the YubiKey pass the root partition. Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software -to mount your encrypted partitions and check the configs. Maybe an UUID is wrong. \ No newline at end of file +to mount your encrypted partitions and check the configs. Maybe an UUID is wrong. + +Now you can setup your Arch Linux e.g. create own user or add additional stuff [en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger). +The next chapter describes how to setup UEFI secure boot. The last piece to bullet proof your full disk encryption. \ No newline at end of file diff --git a/book/arch/07-yubikey-login.md b/book/arch/07-yubikey-login.md index f93bb6a..ad6f34a 100644 --- a/book/arch/07-yubikey-login.md +++ b/book/arch/07-yubikey-login.md @@ -1,3 +1,83 @@ # Enable YubiKey Login -TBD +Alright, you have already setup full disk encryption with YubiKey but what good is this if anyone can log in without YubiKey? +This chapter describes how to use the YubiKey for authentication inclusive *sudo*. + +> Have you already created a new user? Don't use *root* user here. + +## Challenge response authentication setup +You can read more about that in [Local Authentication Using Challenge Response](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). +Let's install the needed package *yubico-pam*: + +``` +sudo pacman -S yubico-pam +``` + +Next step is to set the current user to require the YubiKey for logon with the following commands: + +``` +mkdir $HOME/.yubico +ykpamcfg -2 -v +``` + +It is generally a good idea to move the challenge file in a system-wide path that is only read- and writable by root. + +> It is important that the file is named with the name of the user that is going to be authenticated by this YubiKey. + +``` +sudo mkdir /var/yubico +sudo chown root.root /var/yubico +sudo chmod 700 /var/yubico + +sudo mv ~/.yubico/challenge-123456 /var/yubico/[username]-123456 +sudo chown root.root /var/yubico/[username]-123456 +sudo chmod 600 /var/yubico/[username]-123456 +``` + +## Activation +Let's active the YubiKey for logon. For this open the file with `vi /etc/pam.d/system-auth` and add the following line +after the *pam_unix.so* line. + +> Please login to another tty in case of something goes wrong so you can deactivate it. Don't forget to become root. + +``` +auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico +``` + +The complete file should look something like this. + +``` +#%PAM-1.0 + +auth required pam_unix.so try_first_pass nullok +auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico +auth optional pam_permit.so +auth required pam_env.so + +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +password required pam_unix.so try_first_pass nullok sha512 shadow +password optional pam_permit.so + +session required pam_limits.so +session required pam_unix.so +session optional pam_permit.so +``` + +## Test it +Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to +another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the +YubiKey button. Good luck! + +**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the +following goals which is really awesome! + +- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions +- Encrypted `/boot` partition +- UEFI Secure boot (self signed boot loader) +- YubiKey authentication for user login + +If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide. +Also spread the word about this guide so more people can secure their system. \ No newline at end of file diff --git a/book/arch/08-minimal-gnome.md b/book/arch/08-minimal-gnome.md deleted file mode 100644 index 22ea6c5..0000000 --- a/book/arch/08-minimal-gnome.md +++ /dev/null @@ -1,3 +0,0 @@ -# Install minimal GNOME desktop - -TBD diff --git a/book/arch/bookdown.json b/book/arch/bookdown.json index 901c1d9..b80ebe4 100644 --- a/book/arch/bookdown.json +++ b/book/arch/bookdown.json @@ -7,8 +7,7 @@ {"prepare-volumes": "04-prepare-volumes.md"}, {"install-arch": "05-install-arch.md"}, {"secure-boot": "06-secure-boot.md"}, - {"yubikey-login": "07-yubikey-login.md"}, - {"minimal-gnome": "08-minimal-gnome.md"} + {"yubikey-login": "07-yubikey-login.md"} ], "theme": { "toc": {