Add YubiKey login chapter

2018-07-24 21:50:46 +02:00
parent bdac650c5e
commit 9107c37794
7 changed files with 101 additions and 17 deletions
--- a/book/arch/02-prepare-disk.md
+++ b/book/arch/02-prepare-disk.md
@@ -27,4 +27,4 @@ Format the second partition (replace `[device 2nd partition]` with the 2nd parti
 mkfs.fat -F32 /dev/[device 2nd partition]
 ```

-The next chapter describes how to prepare the YubiKey.
+Great, one step closer for your fully encrypted system. The next chapter describes how to prepare the YubiKey.
--- a/book/arch/03-prepare-yubikey.md
+++ b/book/arch/03-prepare-yubikey.md
@@ -13,7 +13,7 @@ make install


 ## Prepare 2nd slot
-Now it's time to prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled.
+Now it's time to prepare the second slot of your YubiKey for the challenge response authentication. Touch will be also enabled.

 ```
 ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
--- a/book/arch/05-install-arch.md
+++ b/book/arch/05-install-arch.md
@@ -24,7 +24,7 @@ Check it out with `cat /mnt/etc/fstab` and verify it.
 ## YubiKey Full Disk Encryption
 Next step is to copy the [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) folder
 to the `/mnt` folder because it will be installed later. The YubiKey challenge is stored in a file to make it
-available inside the new system. More on that later.
+available inside the new system. More on that later. Replace `[Your YubiKey password]` with your YubiKey password.

 ```
 cp -r yubikey-full-disk-encryption /mnt/home/
@@ -33,7 +33,7 @@ echo "export YKFDE_CHALLENGE=$(printf [Your YubiKey password] | sha256sum | awk

 Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment.  

-## Mount run
+## Mount run folder

 When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`.
 That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following
@@ -63,7 +63,7 @@ make install
 ```

 Copy `/home/ykde.conf` to  `/etc/ykde.conf` so you have your previous settings or configure the file as described 
-in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf` 
+in chapter *Prepare YubiKey*. The YubiKey challenge will now be stored in the `ykde.conf` 
 file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set 
 into the `ykde.conf` file with the command `sed`.

@@ -78,7 +78,7 @@ Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with
 The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at boot. Open the file with 
 `vi /etc/mkinitcpio.conf` and replace the *HOOKS* line with the following content.

-> Don't add `encrypt` hook, because we ues ykfde !!!
+> Don't add `encrypt` hook, because we ues ykfde and respect the order !!!

 ```
 HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde)
@@ -198,4 +198,7 @@ boot parition password to see the GRUB boot menu and after that the YubiKey pass
 the root partition. 

 Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software 
-to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.
+to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.
+
+Now you can setup your Arch Linux e.g. create own user or add additional stuff [en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger).
+The next chapter describes how to setup UEFI secure boot. The last piece to bullet proof your full disk encryption.
--- a/book/arch/07-yubikey-login.md
+++ b/book/arch/07-yubikey-login.md
@@ -1,3 +1,83 @@
 # Enable YubiKey Login

-TBD
+Alright, you have already setup full disk encryption with YubiKey but what good is this if anyone can log in without YubiKey?
+This chapter describes how to use the YubiKey for authentication inclusive *sudo*.
+
+> Have you already created a new user? Don't use *root* user here.
+
+## Challenge response authentication setup
+You can read more about that in [Local Authentication Using Challenge Response](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html).
+Let's install the needed package *yubico-pam*:
+
+```
+sudo pacman -S yubico-pam
+```
+
+Next step is to set the current user to require the YubiKey for logon with the following commands:
+
+```
+mkdir $HOME/.yubico
+ykpamcfg -2 -v
+```
+
+It is generally a good idea to move the challenge file in a system-wide path that is only read- and writable by root.
+
+> It is important that the file is named with the name of the user that is going to be authenticated by this YubiKey.
+
+```
+sudo mkdir /var/yubico
+sudo chown root.root /var/yubico
+sudo chmod 700 /var/yubico
+
+sudo mv ~/.yubico/challenge-123456 /var/yubico/[username]-123456
+sudo chown root.root /var/yubico/[username]-123456
+sudo chmod 600 /var/yubico/[username]-123456
+```
+
+## Activation
+Let's active the YubiKey for logon. For this open the file with `vi /etc/pam.d/system-auth` and add the following line
+after the *pam_unix.so* line.
+
+> Please login to another tty in case of something goes wrong so you can deactivate it. Don't forget to become root.
+
+```
+auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
+```
+
+The complete file should look something like this.
+
+```
+#%PAM-1.0
+
+auth      required  pam_unix.so     try_first_pass nullok
+auth      required  pam_yubico.so   mode=challenge-response chalresp_path=/var/yubico 
+auth      optional  pam_permit.so
+auth      required  pam_env.so
+
+account   required  pam_unix.so
+account   optional  pam_permit.so
+account   required  pam_time.so
+
+password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+password  optional  pam_permit.so
+
+session   required  pam_limits.so
+session   required  pam_unix.so
+session   optional  pam_permit.so
+```
+
+## Test it
+Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to 
+another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the
+YubiKey button. Good luck!
+
+**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the 
+following goals which is really awesome!
+
+- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
+- Encrypted `/boot` partition
+- UEFI Secure boot (self signed boot loader)
+- YubiKey authentication for user login
+
+If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
+Also spread the word about this guide so more people can secure their system.
--- a/book/arch/08-minimal-gnome.md
+++ b/book/arch/08-minimal-gnome.md
@@ -1,3 +0,0 @@
-# Install minimal GNOME desktop
-
-TBD
--- a/book/arch/bookdown.json
+++ b/book/arch/bookdown.json
@@ -7,8 +7,7 @@
        {"prepare-volumes": "04-prepare-volumes.md"},
        {"install-arch": "05-install-arch.md"},
        {"secure-boot": "06-secure-boot.md"},
-        {"yubikey-login": "07-yubikey-login.md"},
-        {"minimal-gnome": "08-minimal-gnome.md"}
+        {"yubikey-login": "07-yubikey-login.md"}
    ],
    "theme": {
        "toc": {