doc: Add a security keys section to the cookbook.

* doc/guix-cookbook.texi (Top): Register new menu.
(System Configuration): Likewise.
(Using security keys): New section.
This commit is contained in:
Maxim Cournoyer 2022-11-21 14:49:04 -05:00
parent 5eb2995c00
commit d524ec6fb5
No known key found for this signature in database
GPG Key ID: 1260E46482E63562

View File

@ -21,6 +21,7 @@ Copyright @copyright{} 2020 Brice Waegeneire@*
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
Copyright @copyright{} 2022 Maxim Cournoyer*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@ -95,6 +96,7 @@ System Configuration
* Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY
* Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System.
* Guix System Image API:: Customizing images to target specific platforms.
* Using security keys:: How to use security keys with Guix System.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server. Running Guix on a Linode Server
@ -1380,6 +1382,7 @@ reference.
* Auto-Login to a Specific TTY:: Automatically Login a User to a Specific TTY
* Customizing the Kernel:: Creating and using a custom Linux kernel on Guix System.
* Guix System Image API:: Customizing images to target specific platforms.
* Using security keys:: How to use security keys with Guix System.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server
@ -1883,6 +1886,65 @@ guix system image --image-type=hurd-qcow2 my-hurd-os.scm
will instead produce a Hurd QEMU image.
@node Using security keys
@section Using security keys
@cindex 2FA, two-factor authentication
@cindex U2F, Universal 2nd Factor
@cindex security key, configuration
The use of security keys can improve your security by providing a second
authentication source that cannot be easily stolen or copied, at least
for a remote adversary (something that you have), to the main secret (a
passphrase -- something that you know), reducing the risk of
impersonation.
The example configuration detailed below showcases what minimal
configuration needs to be made on your Guix System to allow the use of a
Yubico security key. It is hoped the configuration can be useful for
other security keys as well, with minor adjustments.
@subsection Configuration for use as a two-factor authenticator (2FA)
To be usable, the udev rules of the system should be extended with
key-specific rules. The following shows how to extend your udev rules
with the @file{lib/udev/rules.d/70-u2f.rules} udev rule file provided by
the @code{libfido2} package from the @code{(gnu packages
security-token)} module and add your user to the @samp{"plugdev"} group
it uses:
@lisp
(use-package-modules ... security-token ...)
...
(operating-system
...
(users (cons* (user-account
(name "your-user")
(group "users")
(supplementary-groups
'("wheel" "netdev" "audio" "video"
"plugdev")) ;<- added system group
(home-directory "/home/your-user"))
%base-user-accounts))
...
(services
(cons*
...
(udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
@end lisp
After re-configuring your system and re-logging in your graphical
session so that the new group is in effect for your user, you can verify
that your key is usable by launching:
@example
guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
@end example
and validating that the security key can be reset via the ``Reset your
security key'' menu. If it works, congratulations, your security key is
ready to be used with applications supporting two-factor authentication
(2FA).
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN