* [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-26 19:56 [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application Maxim Cournoyer
@ 2023-07-27 18:04 ` John Kehayias via Guix-patches via
2023-07-27 19:25 ` Maxim Cournoyer
2023-08-08 14:47 ` [bug#64882] " Maxim Cournoyer
2023-08-08 14:50 ` [bug#64882] [PATCH v2] " Maxim Cournoyer
2 siblings, 1 reply; 7+ messages in thread
From: John Kehayias via Guix-patches via @ 2023-07-27 18:04 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 64882
Hi Maxim,
On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:
> * doc/guix-cookbook.texi (Using security keys)
> <Disabling OTP code generation for a Yubikey>: New subsection.
> ---
> doc/guix-cookbook.texi | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e58c6c795..8f2cb2369e 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -2022,6 +2022,18 @@ Using security keys
> ready to be used with applications supporting two-factor authentication
> (2FA).
>
> +@subsection Disabling OTP code generation for a Yubikey
> +@cindex disabling yubikey OTP
> +If you use a Yubikey security key and are irritated by the spurious OTP
> +codes it generates when inadvertently touching the key (e.g. causing you
> +to become a spammer in the @samp{#guix} channel when discussing from
> +your favorite IRC client!), you can disable it via the following
> +@command{ykman} command:
> +
> +@example
> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
> +@end example
> +
> @node Connecting to Wireguard VPN
> @section Connecting to Wireguard VPN
>
>
> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
I'm not necessarily against it, but this seems only related to yubikey
management in general (on Linux), rather than anything specific to Guix.
Of course, 'guix shell' is a handy way to do this, I just don't know if
this is needed in the cookbook. Then again, I guess the cookbook is a
way to build up associated knowledge for Guix, which won't be included
directly in the manual.
Otherwise, LGTM, but a user should be aware if they are using/needed OTP
before disabling it.
John
^ permalink raw reply [flat|nested] 7+ messages in thread
* [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-27 18:04 ` John Kehayias via Guix-patches via
@ 2023-07-27 19:25 ` Maxim Cournoyer
2023-07-27 19:47 ` John Kehayias via Guix-patches via
0 siblings, 1 reply; 7+ messages in thread
From: Maxim Cournoyer @ 2023-07-27 19:25 UTC (permalink / raw)
To: John Kehayias; +Cc: 64882
Hi John,
John Kehayias <john.kehayias@protonmail.com> writes:
> Hi Maxim,
>
> On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:
>
>> * doc/guix-cookbook.texi (Using security keys)
>> <Disabling OTP code generation for a Yubikey>: New subsection.
>> ---
>> doc/guix-cookbook.texi | 12 ++++++++++++
>> 1 file changed, 12 insertions(+)
>>
>> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
>> index 2e58c6c795..8f2cb2369e 100644
>> --- a/doc/guix-cookbook.texi
>> +++ b/doc/guix-cookbook.texi
>> @@ -2022,6 +2022,18 @@ Using security keys
>> ready to be used with applications supporting two-factor authentication
>> (2FA).
>>
>> +@subsection Disabling OTP code generation for a Yubikey
>> +@cindex disabling yubikey OTP
>> +If you use a Yubikey security key and are irritated by the spurious OTP
>> +codes it generates when inadvertently touching the key (e.g. causing you
>> +to become a spammer in the @samp{#guix} channel when discussing from
>> +your favorite IRC client!), you can disable it via the following
>> +@command{ykman} command:
>> +
>> +@example
>> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
>> +@end example
>> +
>> @node Connecting to Wireguard VPN
>> @section Connecting to Wireguard VPN
>>
>>
>> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
>
> I'm not necessarily against it, but this seems only related to yubikey
> management in general (on Linux), rather than anything specific to Guix.
> Of course, 'guix shell' is a handy way to do this, I just don't know if
> this is needed in the cookbook. Then again, I guess the cookbook is a
> way to build up associated knowledge for Guix, which won't be included
> directly in the manual.
You are right that it's not specifically related to Guix, but I expects
users going through setuping a Yubikey on Guix to want to know how to do
that (I spent months spamming #guix with OTP codes before Ricardo shared
that tip with me, so it was not easy to discover). The Cookbook as I
understand it is a loose collection of knowledge of how to do things
using Guix, and is distinct from the user manual.
> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
> before disabling it.
I'm not sure when OTP is useful; it's not useful for the current use
case I'm using my Yubikey (which is currently the two-factor
authentication on web sites).
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 7+ messages in thread
* [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-27 19:25 ` Maxim Cournoyer
@ 2023-07-27 19:47 ` John Kehayias via Guix-patches via
2023-08-17 4:05 ` bug#64882: " Maxim Cournoyer
0 siblings, 1 reply; 7+ messages in thread
From: John Kehayias via Guix-patches via @ 2023-07-27 19:47 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 64882
Hi Maxim,
On Thu, Jul 27, 2023 at 03:25 PM, Maxim Cournoyer wrote:
> Hi John,
>
> John Kehayias <john.kehayias@protonmail.com> writes:
>
>> I'm not necessarily against it, but this seems only related to yubikey
>> management in general (on Linux), rather than anything specific to Guix.
>> Of course, 'guix shell' is a handy way to do this, I just don't know if
>> this is needed in the cookbook. Then again, I guess the cookbook is a
>> way to build up associated knowledge for Guix, which won't be included
>> directly in the manual.
>
> You are right that it's not specifically related to Guix, but I expects
> users going through setuping a Yubikey on Guix to want to know how to do
> that (I spent months spamming #guix with OTP codes before Ricardo shared
> that tip with me, so it was not easy to discover). The Cookbook as I
> understand it is a loose collection of knowledge of how to do things
> using Guix, and is distinct from the user manual.
>
Sure. I'm not opposed, just wanted to make sure I was clear(ish) on
what goes in there. I'm all for collecting more information to help
out Guix users.
>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>> before disabling it.
>
> I'm not sure when OTP is useful; it's not useful for the current use
> case I'm using my Yubikey (which is currently the two-factor
> authentication on web sites).
I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
info' to see. I use it as my smart card essentially (as the keys for
passwords, SSH, signing commits, etc.) as well as two-factor codes.
I found this <https://www.yubico.com/resources/glossary/yubico-otp/>
about OTP. If I remember now, it is a service that some sites will use
to use your Yubikey for authentication, as I think LastPass had
support for (I no longer use that). I think U2F is more ubiquitous and
used more now anyway. But it is enabled by default and I would guess
many people don't use it.
John
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#64882: [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-27 19:47 ` John Kehayias via Guix-patches via
@ 2023-08-17 4:05 ` Maxim Cournoyer
0 siblings, 0 replies; 7+ messages in thread
From: Maxim Cournoyer @ 2023-08-17 4:05 UTC (permalink / raw)
To: John Kehayias; +Cc: 64882-done
Hi!
John Kehayias <john.kehayias@protonmail.com> writes:
[...]
>>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>>> before disabling it.
>>
>> I'm not sure when OTP is useful; it's not useful for the current use
>> case I'm using my Yubikey (which is currently the two-factor
>> authentication on web sites).
>
> I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
> info' to see. I use it as my smart card essentially (as the keys for
> passwords, SSH, signing commits, etc.) as well as two-factor codes.
>
> I found this <https://www.yubico.com/resources/glossary/yubico-otp/>
> about OTP. If I remember now, it is a service that some sites will use
> to use your Yubikey for authentication, as I think LastPass had
> support for (I no longer use that). I think U2F is more ubiquitous and
> used more now anyway. But it is enabled by default and I would guess
> many people don't use it.
The yubikey-manager-qt package has since been added, providing a GUI to
do the same, so I've expound the how-to with it, and installed the change.
Thanks for the review!
--
Maxim
^ permalink raw reply [flat|nested] 7+ messages in thread
* [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-26 19:56 [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application Maxim Cournoyer
2023-07-27 18:04 ` John Kehayias via Guix-patches via
@ 2023-08-08 14:47 ` Maxim Cournoyer
2023-08-08 14:50 ` [bug#64882] [PATCH v2] " Maxim Cournoyer
2 siblings, 0 replies; 7+ messages in thread
From: Maxim Cournoyer @ 2023-08-08 14:47 UTC (permalink / raw)
To: 64882; +Cc: Maxim Cournoyer
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
Series-to: 64882@debbugs.gnu.org
Series-version: 2
Series-changes: 2
- Mention alternative using the graphical yubikey-manager-qt application
---
doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#64882] [PATCH v2] doc: cookbook: Document how to disable the Yubikey OTP application.
2023-07-26 19:56 [bug#64882] [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application Maxim Cournoyer
2023-07-27 18:04 ` John Kehayias via Guix-patches via
2023-08-08 14:47 ` [bug#64882] " Maxim Cournoyer
@ 2023-08-08 14:50 ` Maxim Cournoyer
2 siblings, 0 replies; 7+ messages in thread
From: Maxim Cournoyer @ 2023-08-08 14:50 UTC (permalink / raw)
To: 64882; +Cc: john.kehayias, Maxim Cournoyer
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
---
Changes in v2:
- Mention alternative using the graphical yubikey-manager-qt application
doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN
base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
^ permalink raw reply related [flat|nested] 7+ messages in thread