|
| 1 | +--- |
| 2 | +title: YubiKey Support |
| 3 | +--- |
| 4 | + |
| 5 | +Ghaf provides integrated support for YubiKey devices, primarily for hardware-backed user authentication and session management. This enhances the security posture of the system by leveraging hardware-backed security keys. |
| 6 | + |
| 7 | +## Features |
| 8 | + |
| 9 | +- **Hardware-Backed User Authentication**: A YubiKey can be used as an alternative to a password for user authentication to unlock the system, utilizing the Universal 2nd Factor (U2F) protocol. |
| 10 | +- **Session Management**: Ghaf includes udev rules to automatically lock user sessions upon the removal of a configured YubiKey. |
| 11 | + |
| 12 | +## Supported YubiKey Models |
| 13 | + |
| 14 | +The current integration primarily targets YubiKey devices that support FIDO2/U2F protocols. Specifically, the udev rules are configured for YubiKeys with `idVendor=="1050"` and `idProduct=="0407"`. |
| 15 | + |
| 16 | + |
| 17 | +## Enabling YubiKey Support |
| 18 | + |
| 19 | +### Case 1: On a Fresh Ghaf Install |
| 20 | +To enable YubiKey support on a fresh installation of Ghaf, plug in the YubiKey before booting the Ghaf image for the first time. When the system boots, the user will be prompted to enter a username. After that, they will be prompted to enroll the YubiKey once the security token's presence is detected successfully. |
| 21 | + |
| 22 | +The user will see a message similar to the one below: |
| 23 | +```bash |
| 24 | +User <user-name> created successfully with the following details" |
| 25 | + User Name: <user-name> |
| 26 | + Display Name: <display-name> |
| 27 | + FIDO2 Device: Supported |
| 28 | +``` |
| 29 | +The `FIDO2 Device: Supported` message indicates that the YubiKey has been successfully enrolled with Ghaf and is ready for use. |
| 30 | +
|
| 31 | +### Case 2: On an Existing Ghaf System |
| 32 | +If you are already using Ghaf OS and want to enable YubiKey support, you must re-enroll your user. First, remove the existing user by running the following command in the `gui-vm`: |
| 33 | +```bash |
| 34 | +$ homectl remove <user-name> |
| 35 | +``` |
| 36 | +Then, reboot the system and follow the steps described in Case 1. |
| 37 | +
|
| 38 | +### YubiKey Module |
| 39 | + The YubiKey module provides the following services and configurations: |
| 40 | +
|
| 41 | +- It enables the `pcscd` service, a daemon for accessing smart cards and readers. |
| 42 | +- It installs the `pam_u2f` package, enabling PAM modules for U2F authentication. |
| 43 | +- It configures PAM for `sudo` and `gtklock` to use U2F. |
| 44 | +- It adds udev rules to recognize YubiKey devices and manage sessions (e.g., locking the session on YubiKey removal). |
| 45 | +
|
| 46 | +### Screen Locker |
| 47 | +
|
| 48 | +If you unplug the YubiKey while the screen is unlocked, the configured udev rules will automatically lock the user sessions for security. |
| 49 | +
|
| 50 | +## How to Generate a Per-User U2F Configuration |
| 51 | +To generate a per-user U2F configuration, run the following command in the `gui-vm`: |
| 52 | +```bash |
| 53 | +$ pamu2fcfg |
| 54 | +``` |
| 55 | +This command will output the U2F configuration, a combination of a public key and a key handle. |
| 56 | +
|
| 57 | +## Known Issues and Limitations |
| 58 | +
|
| 59 | +- YubiKey support in Ghaf is currently limited to the `gui-vm`. |
| 60 | +- The YubiKey must be configured during the initial user creation process. |
| 61 | +- Support is currently limited to a specific range of YubiKey devices. |
| 62 | +
|
| 63 | +## References |
| 64 | +- https://www.yubico.com/products/ |
| 65 | +- https://support.yubico.com/s/article/YubiKey-USB-ID-values |
| 66 | +- https://developers.yubico.com/pam-u2f |
0 commit comments