From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id QFmJLeGdfWMg6gAAbAwnHQ (envelope-from ) for ; Wed, 23 Nov 2022 05:13:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 8NyRLeGdfWO0CwAAauVa8A (envelope-from ) for ; Wed, 23 Nov 2022 05:13:21 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4FCBF280B0 for ; Wed, 23 Nov 2022 05:13:21 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oxh8D-0002p4-1b; Tue, 22 Nov 2022 23:13:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oxh8B-0002os-Ay for guix-patches@gnu.org; Tue, 22 Nov 2022 23:13:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oxh8B-0002nz-2C for guix-patches@gnu.org; Tue, 22 Nov 2022 23:13:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oxh8A-0000yT-FM for guix-patches@gnu.org; Tue, 22 Nov 2022 23:13:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#59454] [PATCH] doc: Add a security keys section to the cookbook. References: <20221121200256.2680-1-maxim.cournoyer@gmail.com> In-Reply-To: <20221121200256.2680-1-maxim.cournoyer@gmail.com> Resent-From: John Kehayias Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 23 Nov 2022 04:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59454 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 59454@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 59454-submit@debbugs.gnu.org id=B59454.16691767243675 (code B ref 59454); Wed, 23 Nov 2022 04:13:02 +0000 Received: (at 59454) by debbugs.gnu.org; 23 Nov 2022 04:12:04 +0000 Received: from localhost ([127.0.0.1]:53153 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxh7D-0000xC-IR for submit@debbugs.gnu.org; Tue, 22 Nov 2022 23:12:03 -0500 Received: from mail-4322.protonmail.ch ([185.70.43.22]:16775) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oxh77-0000we-Uf for 59454@debbugs.gnu.org; Tue, 22 Nov 2022 23:12:02 -0500 Date: Wed, 23 Nov 2022 04:11:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1669176711; x=1669435911; bh=zKuoYa9xkwRop/j0a2OMbhCngwh3UgOFbi5U89BdtOo=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=PkuPAT3uw4Jl2VIBJdqWt9RBaK+AEub3Oc6NjT3YnFfL01s/0Gvu2+I0VoN9erwxG 44RDl9DiNWUfH+gFOarjeSSnCritlotd1y1OI/9OM56gFV9JXoD7Zpzg1yArf5Rb4+ rahVQOt3ErKhcgzSCvuwGBPkmEgezkvex8Nutsa663R6mhRpogYzxFL2FvaCJ8itKw 5tCStf4YQR+mmbnC8WWaCFw0RnkwYeoPQkbwF3uitPlvsHpSJNMzwgE47ulYr0oQ9b +3/0rLCy2Q3qtLkQGDpLLFc2/dE3M+OB2UgglSOnQAMSCtARQxJjw9Ao9jim0C578k J4wE9ak3WxM9w== Message-ID: <877czmfgy5.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: John Kehayias X-ACL-Warn: , John Kehayias via Guix-patches From: John Kehayias via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1669176801; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zKuoYa9xkwRop/j0a2OMbhCngwh3UgOFbi5U89BdtOo=; b=dZcZOBJUuykA+tvlsQiJhqVlI7lu/oKNiQkMJR0IfpJZzetKc9Al8kAI2Ca4W44l32lYWw QzLGRaotASmWQyhDhp0tnHsHQnAT+OG0IlqyGCzz1lzz7OdLfRzWvwxeOHcAvTwxPxS0hO hDY3JdZ+C4Yw8uM5GahhOZcWf/P/w86JpYn1oqtEmbavpp3HeCwx8T0NMPPhh+zE5Hq4HX Ja+J8JGW4C3pnbsHx4QtPsEl3Ech9PdvDvBxswjypq5A0d9t+6MywlViVlXgXeBnXrwSIQ lRqwJsJ7/u+UgVCxz9VgiQkcFLnf9b1Jy+Avi++JuiKZ4LtUvAFF2R4DQcp0eg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1669176801; a=rsa-sha256; cv=none; b=k6gJWwxyjhX7giHhpiuBGNZV3o/0AjV92t/Gvjd326MYMn2WBc5d2LM+kpVJ3wPnPjeSod UT7Y3EexSm5B2O2K+nZNZI0rjY5dOiYTky7nPfKVSn8LolbQefXamRzl66/JStjOSjQLy6 RGWYqsrERQv4DyX+BqFF5IWfhuQXFjLMrJFOv7k9PTsqNb8huKo6fJO7A4wxw+wKyG3wpt GWWQdGq3Pw4iUT21RJlU0jZSbtgr4pttbFJudZpU9jBwuV51Q/wpkdkZYfP/hw+PL9PMNa ehXOHgOmZfLZYiQwfnMUF1JaEGQzKaYDxUp1W/KJQmb5sIS2NXc0LYXXY1C9EA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=PkuPAT3u; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.20 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=PkuPAT3u; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 4FCBF280B0 X-Spam-Score: -3.20 X-Migadu-Scanner: scn0.migadu.com X-TUID: ejpkWysbm1a7 Hi Maxim, Thanks for this addition, I think it will definitely be useful to many peop= le. Overall it looks good, a few minor notes on the text after I add some o= f my confusion to the udev rules question. For the udev rules, I tried without the plugdev group and it seemed like ev= erything worked for me (though note I also use the pcscd service). In the p= ast, I've had the plugdev group for the udev rules but not my user. I'm not= sure why that is, perhaps the "uaccess" part of the rules? (I don't know m= uch about this at all.) However, I did get system log messages "udevd[258]:= specified group 'plugdev' unknown" which I'm guessing is due to me leaving= that out of the udev rules service. I'm not sure how we want to handle that in this documentation. I wouldn't b= e surprised if something does need the user to be in the plugdev group, I j= ust haven't encountered it. Perhaps then keep it as is to be on the safe si= de since I can't think of a clear downside other than having one more group= ? To add a little more confusion, on my Arch system I see no such udev rules.= The only one I have for a Yubikey is from the equivalent of our yubikey-pe= rsonalization package and which doesn't have any match for my particular Yu= bikey. But everything works there as well. Anyway, likely some other detail= s there (some general rules for security keys?), just thought I'd mention t= hat. A few minor notes on the text now: > +The use of security keys can improve your security by providing a second > +authentication source that cannot be easily stolen or copied (similar to > +the protection provided by mechanical keys for the door of your home or > +apartment), which reduces the risk of impersonation. > + Not to get into the weeds here, but maybe we can use the "standard" this is= the "something you have" part of multi-factor authentication (the "one you= know" being a password, of course). Also, should we use the keyword Universal 2nd Factor (U2F) standard somewhe= re? I believe this is the setup we need for that, but don't quote me on tha= t. > +The example configuration detailed below showcases what minimal > +configuration needs to be made on your Guix System to allow the use of a > +Yubico security key. We hope the configuration can be useful for other > +security keys as well, with minor adjustments. > + Super minor: do we use the "we" form much in the manual, at least in the sy= stem reference parts? > +@subsection Configuration for use as a two-factor authenticator (2FA) > + > +Two be usable, the udev rules of the system should be extended with > +key-specific rules. The following show how to extend your udev rules > +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by > +the @code{libfido2} package from the @code{(gnu packages > +security-token)} module and add your user to the @samp{"plugdev"} group > +it uses: > + Minor typos: "Two" -> "To", "show" -> "shows"; comment above for "you" here= . > +@lisp > +(use-package-modules ... security-token ...) > +... > +(operating-system > + ... > + (users (cons* (user-account > + (name "your-user") > + (group "users") > + (supplementary-groups > +=09=09'("wheel" "netdev" "audio" "video" > + "plugdev")) ;<- added system group > + (home-directory "/home/your-user")) > + %base-user-accounts)) > + ... > + (services > + (cons* > + ... > + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) > +@end lisp > + > +After re-configuring your system and re-login to your graphical session, > +you can verify that your key is usable by launching: > + Minor: "re-login" probably should be "re-logging in" maybe? I'm guessing logging in again is needed due to the group change? (Otherwise= we have the nice change you made so that udev rules get picked up automati= cally, right?) > +@example > +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys > +@end example > + Perhaps a simple website for testing u2f that works in other browsers? Sorr= y, don't have any off the top of my head, just wondering (as I don't normal= ly use chromium). > +and validating that the security key can be reset via the ``Reset your > +security key'' menu. If it works, congratulations, your security key is > +ready to be used with applications supporting two-factors authentication > +(2FA). Not familiar with the chromium settings here, is there something less poten= tially drastic to check? I didn't dare touch that as my security key is alr= eady set up (private keys backed up of course, but still). Sorry for some of the more nitpick-y text things, probably reading and grad= ing too many papers recently :) Overall will be a nice addition, thanks! John