unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* security key for login
@ 2025-01-02 15:57 BP25
  2025-01-04 20:41 ` Fredrik Salomonsson
  2025-01-06 16:43 ` Thom Harmon via
  0 siblings, 2 replies; 4+ messages in thread
From: BP25 @ 2025-01-02 15:57 UTC (permalink / raw)
  To: help-guix

Hello,

Does anyone know how to use a security key with Guix for login
(unlocking the screensaver and waking up from suspend)? And if yes,
which key would it be? Would it work when the dm is exwm? The section
3.4 Using security keys doesn't provide these info...

Thanks so much!


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: security key for login
  2025-01-02 15:57 security key for login BP25
@ 2025-01-04 20:41 ` Fredrik Salomonsson
  2025-01-07 11:40   ` bp25
  2025-01-06 16:43 ` Thom Harmon via
  1 sibling, 1 reply; 4+ messages in thread
From: Fredrik Salomonsson @ 2025-01-04 20:41 UTC (permalink / raw)
  To: BP25, help-guix

Hi,

BP25 <bp25@riseup.net> writes:

> Does anyone know how to use a security key with Guix for login
> (unlocking the screensaver and waking up from suspend)?

I'm using a security key to unlock the screensaver.  I still need to
press the power button to wake up the machine and hit enter to trigger
the key.

My setup is sway and swaylock for the screensaver.  To get it working
with my key I first needed to disable the PAM rules for swaylock [0].
Then added my own PAM rules for it [1] — which just specifies that
authenticating with the key is sufficient.  And that works ok.  Only
downside is that unlocking with only the password is slow.  It will
still prompt you to press the key and you would need to wait until that
times out to unlock the screensaver.  However If you don't have the key
plugged in, unlocking with a password works as normal.

> And if yes, which key would it be?

I'm using a yubikey 5 NFC.  But I would think any security key that
supports the FIDO U2F protocol should work.  As I'm using the pam-u2f
module for this.

> Would it work when the dm is exwm?  The section 3.4 Using security
> keys doesn't provide these info...

I'm far from an expert when it comes to authentication and PAM.  But if I
understand things correctly as long as your screensaver is using PAM to
authenticate then pam-u2f should work.  Setting things up would be
similar to what I did with swaylock.

This email thread about Guix PAM service, might also be of help to you [2].

[0]
https://git.sr.ht/~plattfot/plt/tree/58ecdc9a285261b1d974b9d3ace95337fc841c5e/item/plt/system/machines.scm#L178
[1] https://git.sr.ht/~plattfot/plt/tree/58ecdc9a285261b1d974b9d3ace95337fc841c5e/item/plt/system/u2f.scm
[2] https://lists.gnu.org/archive/html/help-guix/2024-08/msg00028.html

-- 
s/Fred[re]+i[ck]+/Fredrik/g


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: security key for login
  2025-01-02 15:57 security key for login BP25
  2025-01-04 20:41 ` Fredrik Salomonsson
@ 2025-01-06 16:43 ` Thom Harmon via
  1 sibling, 0 replies; 4+ messages in thread
From: Thom Harmon via @ 2025-01-06 16:43 UTC (permalink / raw)
  To: help-guix

On Thu, 2025-01-02 at 15:57 +0000, BP25 wrote:
> Hello,
> 
> Does anyone know how to use a security key with Guix for login
> (unlocking the screensaver and waking up from suspend)? And if yes,
> which key would it be? Would it work when the dm is exwm? The section
> 3.4 Using security keys doesn't provide these info...
> 
> Thanks so much!
> 

I run a binary install on Debian 12 and so most of the magic is
probably on the Debian side more than on the Guix side. I can't
actually think of anything that was required from Guix Binary install
itself.

I struggled to get anything out of of the Yubikey Bio so I've fallen
back to a digitalPersonal 4500 for the time being. Not for all auth
(sudo, pkexec) and as "sufficient" as a convenience. It works alright.
It seems a bit picky about angle and pressure of finger. Perhaps its
tunable somehow? I've only been using it for a couple of days.

As of right now, I give the Bio a 0% and the 4500 a 65%. Could be
operator error.

Good luck. I was sorta of surprised at how limited the ecosystem was
for this kind of thing outside of fprintd.




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: security key for login
  2025-01-04 20:41 ` Fredrik Salomonsson
@ 2025-01-07 11:40   ` bp25
  0 siblings, 0 replies; 4+ messages in thread
From: bp25 @ 2025-01-07 11:40 UTC (permalink / raw)
  To: Fredrik Salomonsson; +Cc: help-guix

Thanks very much for your message. I can't understand from your
sentences whether you think something similar to your setup would work
for waking up from suspend?

> My setup is sway and swaylock for the screensaver.
Also, I don't use Wayland at the moment :S


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-01-08  8:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-02 15:57 security key for login BP25
2025-01-04 20:41 ` Fredrik Salomonsson
2025-01-07 11:40   ` bp25
2025-01-06 16:43 ` Thom Harmon via

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).