From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id UN07LWrhgGOCjwAAbAwnHQ (envelope-from ) for ; Fri, 25 Nov 2022 16:38:18 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id CGTpLGrhgGOYrgAAauVa8A (envelope-from ) for ; Fri, 25 Nov 2022 16:38:18 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 615A49892 for ; Fri, 25 Nov 2022 16:38:18 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oyamC-0001L2-FM; Fri, 25 Nov 2022 10:38:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyamB-0001Kc-Hn for guix-patches@gnu.org; Fri, 25 Nov 2022 10:38:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oyamB-0004Xo-8z for guix-patches@gnu.org; Fri, 25 Nov 2022 10:38:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oyamA-0005P7-5E for guix-patches@gnu.org; Fri, 25 Nov 2022 10:38:02 -0500 Subject: bug#59454: [PATCH] doc: Add a security keys section to the cookbook. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Fri, 25 Nov 2022 15:38:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 59454 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch moreinfo To: John Kehayias Cc: 59454-done@debbugs.gnu.org Mail-Followup-To: 59454@debbugs.gnu.org, maxim.cournoyer@gmail.com, maxim.cournoyer@gmail.com Received: via spool by 59454-done@debbugs.gnu.org id=D59454.166939063320711 (code D ref 59454); Fri, 25 Nov 2022 15:38:01 +0000 Received: (at 59454-done) by debbugs.gnu.org; 25 Nov 2022 15:37:13 +0000 Received: from localhost ([127.0.0.1]:36956 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyalM-0005Ny-HI for submit@debbugs.gnu.org; Fri, 25 Nov 2022 10:37:13 -0500 Received: from mail-qv1-f44.google.com ([209.85.219.44]:41879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyalL-0005Nk-3O for 59454-done@debbugs.gnu.org; Fri, 25 Nov 2022 10:37:11 -0500 Received: by mail-qv1-f44.google.com with SMTP id d13so2872657qvj.8 for <59454-done@debbugs.gnu.org>; Fri, 25 Nov 2022 07:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=QrFpnik2F4qlFvBYQjIjoXiaSOU/i7Ql1kurwiDeG0k=; b=m6z3k6yXa2Q9bnDy9uldpYTIvbJD19kCMI/g0OyHukb0tmiTZ5Uwc3Pi/9dWIxnVeT xfLmMTjPlOZWVtb7vlqUdz+5teJ9tjY+GY7jxcBQoMQZ6/fA5fthwtXxtp7zfYBOukaS U7Pm3+v4ljff2sC9O+uP/Kh/MEDdljXBeNr1SmzFbtrqgNpel2qMpobnVRi7VKEvhHyh FXNEh9SIqKAZDWT8s9QqTyUM5IQNuzp9uVxRYv4blkTImC+AgtBVEmd3M69Z2Y0b47ID o0cFPUW1Pg/S6gw/Hf8o3+Wvasohs3eerSPBE6VON3FwgUOAeBlVNI7becJgw7l7a1f8 9bpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=QrFpnik2F4qlFvBYQjIjoXiaSOU/i7Ql1kurwiDeG0k=; b=m0InkAPhP0ZsSjKyuc2X4+YvVAbvZ6HJgBCtw28JPDyUItbREPl4Q+giLuZwE3XJdo aGvPeQaDhLiWZtnB0L/lIbHm0ZIfeJegTPkzClceCzB42B9LWRUbmkJrqtuuXHNSovpQ 9qD+FrH8fpjl0VYCc5InZ8XDK/pTM4bgVqUVfL+qO02Zr1+izfEKVe7D4CMFmGsWCMV3 4uUsKHIShMotBmgJW3nPz7bqMYdIxGJgz6gsbCgxm+wb9oRGBn079STUy6DO/6fKaftI 9U80wJ2X2JkL4FNvDcIjDJe6fZzmoIpS3PcvKRq66Vgb5AdH2SI0kFOTJFNCvIiEkUP5 xBpg== X-Gm-Message-State: ANoB5pmOUNWDDKSeQPuJiUA5I8wd7Fq0F1CTkA6kzLfOeGDPIRzKMQ2W SVUVG+MNKbtDYxm4et8jW0py4uXcdOqx6A== X-Google-Smtp-Source: AA0mqf41cIdugkvZVdIGd6SC3GmnK6WaizxvNXiXd24j0xT+HhOgBlkxxa0tUVXAFcDDh/z92Bxf0w== X-Received: by 2002:a05:6214:3881:b0:4bb:4ab2:5130 with SMTP id nq1-20020a056214388100b004bb4ab25130mr17497964qvb.29.1669390625324; Fri, 25 Nov 2022 07:37:05 -0800 (PST) Received: from hurd ([2607:fad8:4:3::1003]) by smtp.gmail.com with ESMTPSA id v12-20020a05620a440c00b006fc2b672950sm2956693qkp.37.2022.11.25.07.37.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:37:04 -0800 (PST) From: Maxim Cournoyer References: <877czmfgy5.fsf@protonmail.com> Date: Fri, 25 Nov 2022 10:37:04 -0500 In-Reply-To: <877czmfgy5.fsf@protonmail.com> (John Kehayias's message of "Wed, 23 Nov 2022 04:11:40 +0000") Message-ID: <87lenzjba7.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1669390698; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-to:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=QrFpnik2F4qlFvBYQjIjoXiaSOU/i7Ql1kurwiDeG0k=; b=YcNukcY+CcsFXM2cMgn6qSa5X+OxyIK9uhopcRqSE67r7bS0H23WGM5vAy1Qg1G8004Vhf jNXoYdW0pZ9O14x43BQamXVXZIHcaPor93375qrgtFLOzcXM4zqh3bh/X03LKi+YY0do6w Aq/MlUh6uxIot4H6NdRo/EgThDsoJKZ+cz5Nq9kgpBPcxanlUo9VPitPvHwsIVgjire5O7 rqrMXWfb/l4auWR625gSzYi2a+VUrDcCmzJ/Q87k2TE5W7Z57bTIZK4abtxQ6PnDWmTrN5 j2HH8YpO9jQwkOLWRgHFpnZRo4pDLtR1D1fixE+S6JZZbbMKLBu/Jqm+UCPn9w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1669390698; a=rsa-sha256; cv=none; b=J97jSnWSDQpc13NmxqjtzRz8k1VUk6deFeZMV4qovAlL8PphlYd8uRsmBeA/E3SBT5DNvk 9rY23x+UsYdvTOrJl04Agl5beeRX6aAjo8baRwBU72LaI/2ByQ5cMBzfBhYcsf8hOR64o/ fVGXXyW9qrSKIIQiiKIeGC3ObQA97y9JZebugEmn/TxdrNE06I3+eP4xK72fcTk/vNgVyP eFNFpxewkHpWi91jKGwbB1Fgy/ssbzoehDMEPStRXS8J7wpTvMNot6InDHfnwWjCLDtMec oz5G1BfPPvYenAkPT6DOuVd090QdyAnc4F/3W8bi1zJSQag/8Rq6OOVuxrhQAg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=m6z3k6yX; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 4.93 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=m6z3k6yX; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 615A49892 X-Spam-Score: 4.93 X-Migadu-Scanner: scn0.migadu.com X-TUID: EnTUIT5daowz Hi John, John Kehayias writes: > Hi Maxim, > > Thanks for this addition, I think it will definitely be useful to many > people. Overall it looks good, a few minor notes on the text after I > add some of my confusion to the udev rules question. Thanks! > For the udev rules, I tried without the plugdev group and it seemed > like everything worked for me (though note I also use the pcscd > service). In the past, I've had the plugdev group for the udev rules > but not my user. I'm not sure why that is, perhaps the "uaccess" part > of the rules? (I don't know much about this at all.) However, I did > get system log messages "udevd[258]: specified group 'plugdev' > unknown" which I'm guessing is due to me leaving that out of the udev > rules service. [...] I think it may well be required for some use cases; if you grep the libfido2 package for "plugdev", you'll find plenty references in the 70-u2f.rules file like: --8<---------------cut here---------------start------------->8--- /gnu/store/vy2pry1q2b1hhibsq4qchnr0v2xyah0r-libfido2-1.12.0/lib/udev/rules.d/70-u2f.rules:226:KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="311f", ATTRS{idProduct}=="a6e9", TAG+="uaccess", GROUP="plugdev", MODE="0660" --8<---------------cut here---------------end--------------->8--- > A few minor notes on the text now: > >> +The use of security keys can improve your security by providing a second >> +authentication source that cannot be easily stolen or copied (similar to >> +the protection provided by mechanical keys for the door of your home or >> +apartment), which reduces the risk of impersonation. >> + > > Not to get into the weeds here, but maybe we can use the "standard" > this is the "something you have" part of multi-factor authentication > (the "one you know" being a password, of course). I removed the door keys/locks example and rephrased it like: --8<---------------cut here---------------start------------->8--- The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase -- something that you know), reducing the risk of impersonation. --8<---------------cut here---------------end--------------->8--- I hope that's a bit better. > Also, should we use the keyword Universal 2nd Factor (U2F) standard > somewhere? I believe this is the setup we need for that, but don't > quote me on that. I plugged that in the context indices: @cindex U2F, Universal 2nd Factor >> +The example configuration detailed below showcases what minimal >> +configuration needs to be made on your Guix System to allow the use of a >> +Yubico security key. We hope the configuration can be useful for other >> +security keys as well, with minor adjustments. >> + > > Super minor: do we use the "we" form much in the manual, at least in the system reference parts? I think we try to refrain from doing so indeed, although the cookbook feels a lot less formal to me than the reference manual. I've adjusted to use 'It is hoped [...]'. >> +@subsection Configuration for use as a two-factor authenticator (2FA) >> + >> +Two be usable, the udev rules of the system should be extended with >> +key-specific rules. The following show how to extend your udev rules >> +with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by >> +the @code{libfido2} package from the @code{(gnu packages >> +security-token)} module and add your user to the @samp{"plugdev"} group >> +it uses: >> + > > Minor typos: "Two" -> "To", "show" -> "shows"; comment above for "you" here. Oof, thanks for catching these. I think it's fine to address the reader as "you". >> +@lisp >> +(use-package-modules ... security-token ...) >> +... >> +(operating-system >> + ... >> + (users (cons* (user-account >> + (name "your-user") >> + (group "users") >> + (supplementary-groups >> + '("wheel" "netdev" "audio" "video" >> + "plugdev")) ;<- added system group >> + (home-directory "/home/your-user")) >> + %base-user-accounts)) >> + ... >> + (services >> + (cons* >> + ... >> + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) >> +@end lisp >> + >> +After re-configuring your system and re-login to your graphical session, >> +you can verify that your key is usable by launching: >> + > > Minor: "re-login" probably should be "re-logging in" maybe? I think so :-). > I'm guessing logging in again is needed due to the group change? > (Otherwise we have the nice change you made so that udev rules get > picked up automatically, right?) Yes. I clarified this a bit. >> +@example >> +guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys >> +@end example >> + > > Perhaps a simple website for testing u2f that works in other browsers? > Sorry, don't have any off the top of my head, just wondering (as I > don't normally use chromium). Problems with websites is that they typically use nonfree JavaScript. I don't know of a smaller local tool to demo security keys unfortunately; it'd be nice to have one! >> +and validating that the security key can be reset via the ``Reset your >> +security key'' menu. If it works, congratulations, your security key is >> +ready to be used with applications supporting two-factors authentication >> +(2FA). > > Not familiar with the chromium settings here, is there something less > potentially drastic to check? I didn't dare touch that as my security > key is already set up (private keys backed up of course, but still). I'm not sure. I feel the resetting of the key should only affect the operation of Chromium rather than like erase your secrets off your key, but don't take my word for it, it's just a guest. > Sorry for some of the more nitpick-y text things, probably reading and > grading too many papers recently :) Overall will be a nice addition, > thanks! Thanks a lot for going through it! It sure came out better. Now pushed! -- Thanks, Maxim