~abcdw/rde-discuss

3 2

OpenPGP Smart Card

Details
Message ID
<87h6ohpy3l.fsf@posteo.net>
DKIM signature
missing
Download raw message
Hi,

i am currently trying to setup a security token (nitrokey 3) with
OpenPGP capabilities on rde system. When trying to run gpg --card-satus
or gpg --edit-card it fails with output: "gpg: selecting card failed: No
such device". Feature-gnupg and feature-security-token are part of my
system. I already tried to restart pcscd service and to add ccid
package as firmware. Has anyone tried to accomplish something similar with greater
success? 

-- 
Best regards,
Peter
Details
Message ID
<875y4xcbfb.fsf@trop.in>
In-Reply-To
<87h6ohpy3l.fsf@posteo.net> (view parent)
DKIM signature
missing
Download raw message
On 2023-08-29 17:17, Peter Kannewitz wrote:

> Hi,
>
> i am currently trying to setup a security token (nitrokey 3) with
> OpenPGP capabilities on rde system. When trying to run gpg --card-satus
> or gpg --edit-card it fails with output: "gpg: selecting card failed: No
> such device". Feature-gnupg and feature-security-token are part of my
> system. I already tried to restart pcscd service and to add ccid
> package as firmware. Has anyone tried to accomplish something similar with greater
> success? 

Hi Peter,

I use yubikey 5C Nano with rde.  I don't remember exact steps I
performed, but I used the following very extensive guide:
https://github.com/drduh/YubiKey-Guide

Document all the steps during configuration and share them, please.

Probably, in a few months I'll be migrating to a new laptop and will
document this process as well, but if you make it earlier it would be
great.

-- 
Best regards,
Andrew Tropin
Details
Message ID
<87ledllo7v.fsf@posteo.net>
In-Reply-To
<875y4xcbfb.fsf@trop.in> (view parent)
DKIM signature
missing
Download raw message
> Hi Peter,
Hi Andrew,

> I use yubikey 5C Nano with rde.  I don't remember exact steps I
> performed, but I used the following very extensive guide:
> https://github.com/drduh/YubiKey-Guide

Thank you for the reference. I followed a similar but less extensive
guide: https://docs.nitrokey.com/nitrokey3/linux/openpgp-keygen-backup. 

> Document all the steps during configuration and share them, please.

I exactly followed the steps of the guide and got it working now. Also
the problem I faced was specific to my key. After taking a second look
at /etc/udev/rules.d/70-u2f.rules I found that the exact key was missing
even though the vendor was present with some keys. Therefore I added the
udev rules provided by libnitrokey to my system config with this commit:
https://git.sr.ht/~etropr/guixrc/commit/a02596700ac80ce97c25d0caab7aa042bdb28776
and can now access my card. WebAuthn was already working without the udev rules.

Where would you want to place such a write up, in rde manual? Would be
happy to contribute, but I am not quite sure since I did nothing
special but adding some rules and following the guide step by step.

> Probably, in a few months I'll be migrating to a new laptop and will
> document this process as well, but if you make it earlier it would be
> great.

Following up on the topic I still have two things I would like to
integerate in my rde setup:

1. User authentication with pam-u2f:

Therefore I already found a promising feature in rsauex config on GitHub 
(https://github.com/rsauex/dotfiles/blob/77e405cda4277e282725108528874b6d9ebee968/rsauex/services/pam-u2f.scm).
Maybe this would also be interesting for feature security-token?

2. Unlocking encrypted LUKS volume with hardware securtiy token.

This seems even harder, because the only reference i found relies
heavily on systemd-cryptsetup, which i did not find an alternative
shepered version of.
(https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)

-- 
Best regards,
Peter Kannewitz
Details
Message ID
<877cp50z47.fsf@trop.in>
In-Reply-To
<87ledllo7v.fsf@posteo.net> (view parent)
DKIM signature
missing
Download raw message
On 2023-09-04 19:42, Peter Kannewitz wrote:

>> Hi Peter,
> Hi Andrew,
>
>> I use yubikey 5C Nano with rde.  I don't remember exact steps I
>> performed, but I used the following very extensive guide:
>> https://github.com/drduh/YubiKey-Guide
>
> Thank you for the reference. I followed a similar but less extensive
> guide: https://docs.nitrokey.com/nitrokey3/linux/openpgp-keygen-backup. 
>
>> Document all the steps during configuration and share them, please.
>
> I exactly followed the steps of the guide and got it working now. Also
> the problem I faced was specific to my key. After taking a second look
> at /etc/udev/rules.d/70-u2f.rules I found that the exact key was missing
> even though the vendor was present with some keys. Therefore I added the
> udev rules provided by libnitrokey to my system config with this commit:
> https://git.sr.ht/~etropr/guixrc/commit/a02596700ac80ce97c25d0caab7aa042bdb28776
> and can now access my card. WebAuthn was already working without the udev rules.
>
> Where would you want to place such a write up, in rde manual? Would be
> happy to contribute, but I am not quite sure since I did nothing
> special but adding some rules and following the guide step by step.

Maybe even in guix manual, but rde manual will work too, somewhere in
the features chapter.

>
>> Probably, in a few months I'll be migrating to a new laptop and will
>> document this process as well, but if you make it earlier it would be
>> great.
>
> Following up on the topic I still have two things I would like to
> integerate in my rde setup:
>
> 1. User authentication with pam-u2f:
>
> Therefore I already found a promising feature in rsauex config on GitHub 
> (https://github.com/rsauex/dotfiles/blob/77e405cda4277e282725108528874b6d9ebee968/rsauex/services/pam-u2f.scm).
> Maybe this would also be interesting for feature security-token?

Yes, looks like a good match.

>
> 2. Unlocking encrypted LUKS volume with hardware securtiy token.
>
> This seems even harder, because the only reference i found relies
> heavily on systemd-cryptsetup, which i did not find an alternative
> shepered version of.
> (https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)

This is a tricky topic, AFAIR there was some related work on
guix-devel/guix-patches: https://yhetil.org/guix/

-- 
Best regards,
Andrew Tropin
Reply to thread Export thread (mbox)