Přeskočit na hlavní obsah

sick of passwords

Zdroj

Štítky:

So I bought a nitrokey... And ended up in the middle of another Archlinux ricing session.

Why not Yubikey

While researching which hardware token to pick, the Archlinux Wiki page on YubiKey talks about some more recent design decisions of Yubico to use proprietary sourcecode on some of their products, rendering them unable to share their source by extension. I'm not a hardcore FOSS-only user, but if there exists an alternative to Yubico that's more aligned with the movement, I'll go with that. Especially if it's more local, which Nitrokey is. That being said, I'm not certain that Nitrokey doesn't make similar design decisions for some of their products as well.

Use cases

For this project I chose to isolate some use cases that I wanted to solve for, instead of what I normally do:

  1. purposelessly mashing keys

  2. ???

  3. giving up

  4. crying

Turns out there's a reason people do this and I've been missing out. It's not too bad working for an established R&D company, you learn some new things, in exchange for a small aneurysm. Haha, joking of course.. Unless..?

Here are the use cases I came up with:

  1. Authenticating into password store (pass/keepassxc)

  2. Alternative to a password for authenticating into the computer and sudo

  3. (2.1) Replacing the password altogether

  4. Sign commits and more, encrypt email with OpenPGP

  5. Authenticate via SSH (VPS, server on LAN) or authenticate into SSH key before each use

  6. 2FA on google, protonmail, github, mojeID (Czech service for auth into government websites and some banks)

In this post I'll only talk about the first two points.

1. Authenticating into password store (keepassxc/pass)

This one was supposed to be easy, as keepassxc is explicitly tested with Nitrokey. Sadly the guide nor the purported fixes did not work for me. I chose to instead go with storing the database password on the nitrokey and copying it to clipboard. After some trial and error, this is what I came up with:

$ cat ~/.zshrc
...
function nitropass() {
     PASSES=$(nitropy nk3 secrets list 2>/dev/null)
     if [ $? -ne 0 ]
     then
             echo "Nitropy failed, is nitrokey plugged in?"
             return 1
     fi
     # List passwords only
     # It is expected that the password entry names do not contain whitespace
     select item in $(printf $PASSES | grep -v "HmacSlot2" | awk '{print $2}')
     do
             nitropy nk3 secrets get-password "$item" 2>/dev/null | grep password | awk '{printf $3}' | xclip -i -sel clip
             break
     done
}
alias np='nitropass'
...

After writing this part, I noticed the "windows" string in the URL of the guide.. I guess it's only tested with Windows..?

2. Alternative to a password for authenticating into the computer and sudo

As I don't have a spare Nitrokey yet, I will only use it as an alternative for now..

The archlinux guide in this case worked, but I came across two issues.. One was that I wasn't using light-locker or something similar, so the lockscreen was completely useless up until now and could be bypassed by a CTRL+ALT+f7 combination.. The other issue is that LightDM asks me to click "Unlock" after I authenticate. That's two clicks.. Totally unacceptable. I chose to experiment with other software, as LightDM is unnecessarily heavy for my taste anyway.

I first went with the modern lemurs, but that doesn't seem to support passwordless auth yet. ly works perfect.

Here are the steps:

$ sudo pacman -S pam-u2f
$ pamu2fcfg > ~/.config/Nitrokey/u2f_keys
$ sudo mv ~/.config/Nitrokey/u2f_keys /etc/Nitrokey/
$ # Add pam_u2f.so to PAM config (distro specific)
$ cat /etc/pam.d/sudo
#%PAM-1.0
auth         sufficient      pam_u2f.so           authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok
auth         include         system-auth
...

$ cat /etc/pam.d/system-auth
#%PAM-1.0
auth       requisite                   pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       sufficient                  pam_u2f.so           authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
...

Conclusion

I probably spent more time on this than it's going to save me, and I'm not even done yet. It was fun though, and I'm happy with the results so far.

I'll probably make a second post when my spare Nitrokey arrives, but don't expect it anytime soon - turns out they've been sold out.

P.S: This post wouldn't exist if I didn't document my progress in a file. I was inspired to do that thanks to this blog post by Charles Féval, featured on hacker news. Molding this file into a coherent post is a minor task, especially if you're a vim user.