[PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.

  • Done
  • quality assurance status badge
Details
2 participants
  • John Kehayias
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 26 Jul 2023 21:56
5de34b432e5a0fe9cb3728184e6f7a9dd2f38eaf.1690401404.git.maxim.cournoyer@gmail.com
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.
---
doc/guix-cookbook.texi | 12 ++++++++++++
1 file changed, 12 insertions(+)

Toggle diff (27 lines)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..8f2cb2369e 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2022,6 +2022,18 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN

base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
--
2.41.0
J
J
John Kehayias wrote on 27 Jul 2023 20:04
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 64882@debbugs.gnu.org)
87ila5i63v.fsf@protonmail.com
Hi Maxim,

On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:

Toggle quote (32 lines)
> * doc/guix-cookbook.texi (Using security keys)
> <Disabling OTP code generation for a Yubikey>: New subsection.
> ---
> doc/guix-cookbook.texi | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
> index 2e58c6c795..8f2cb2369e 100644
> --- a/doc/guix-cookbook.texi
> +++ b/doc/guix-cookbook.texi
> @@ -2022,6 +2022,18 @@ Using security keys
> ready to be used with applications supporting two-factor authentication
> (2FA).
>
> +@subsection Disabling OTP code generation for a Yubikey
> +@cindex disabling yubikey OTP
> +If you use a Yubikey security key and are irritated by the spurious OTP
> +codes it generates when inadvertently touching the key (e.g. causing you
> +to become a spammer in the @samp{#guix} channel when discussing from
> +your favorite IRC client!), you can disable it via the following
> +@command{ykman} command:
> +
> +@example
> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
> +@end example
> +
> @node Connecting to Wireguard VPN
> @section Connecting to Wireguard VPN
>
>
> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47

I'm not necessarily against it, but this seems only related to yubikey
management in general (on Linux), rather than anything specific to Guix.
Of course, 'guix shell' is a handy way to do this, I just don't know if
this is needed in the cookbook. Then again, I guess the cookbook is a
way to build up associated knowledge for Guix, which won't be included
directly in the manual.

Otherwise, LGTM, but a user should be aware if they are using/needed OTP
before disabling it.

John
M
M
Maxim Cournoyer wrote on 27 Jul 2023 21:25
(name . John Kehayias)(address . john.kehayias@protonmail.com)(address . 64882@debbugs.gnu.org)
87mszhxikq.fsf@gmail.com
Hi John,

John Kehayias <john.kehayias@protonmail.com> writes:

Toggle quote (43 lines)
> Hi Maxim,
>
> On Wed, Jul 26, 2023 at 03:56 PM, Maxim Cournoyer wrote:
>
>> * doc/guix-cookbook.texi (Using security keys)
>> <Disabling OTP code generation for a Yubikey>: New subsection.
>> ---
>> doc/guix-cookbook.texi | 12 ++++++++++++
>> 1 file changed, 12 insertions(+)
>>
>> diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
>> index 2e58c6c795..8f2cb2369e 100644
>> --- a/doc/guix-cookbook.texi
>> +++ b/doc/guix-cookbook.texi
>> @@ -2022,6 +2022,18 @@ Using security keys
>> ready to be used with applications supporting two-factor authentication
>> (2FA).
>>
>> +@subsection Disabling OTP code generation for a Yubikey
>> +@cindex disabling yubikey OTP
>> +If you use a Yubikey security key and are irritated by the spurious OTP
>> +codes it generates when inadvertently touching the key (e.g. causing you
>> +to become a spammer in the @samp{#guix} channel when discussing from
>> +your favorite IRC client!), you can disable it via the following
>> +@command{ykman} command:
>> +
>> +@example
>> +guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
>> +@end example
>> +
>> @node Connecting to Wireguard VPN
>> @section Connecting to Wireguard VPN
>>
>>
>> base-commit: c7e45139faa27b60f2c7d0a4bc140f9793d97d47
>
> I'm not necessarily against it, but this seems only related to yubikey
> management in general (on Linux), rather than anything specific to Guix.
> Of course, 'guix shell' is a handy way to do this, I just don't know if
> this is needed in the cookbook. Then again, I guess the cookbook is a
> way to build up associated knowledge for Guix, which won't be included
> directly in the manual.

You are right that it's not specifically related to Guix, but I expects
users going through setuping a Yubikey on Guix to want to know how to do
that (I spent months spamming #guix with OTP codes before Ricardo shared
that tip with me, so it was not easy to discover). The Cookbook as I
understand it is a loose collection of knowledge of how to do things
using Guix, and is distinct from the user manual.

Toggle quote (3 lines)
> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
> before disabling it.

I'm not sure when OTP is useful; it's not useful for the current use
case I'm using my Yubikey (which is currently the two-factor
authentication on web sites).

--
Thanks,
Maxim
J
J
John Kehayias wrote on 27 Jul 2023 21:47
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 64882@debbugs.gnu.org)
87h6ppi1c6.fsf@protonmail.com
Hi Maxim,

On Thu, Jul 27, 2023 at 03:25 PM, Maxim Cournoyer wrote:

Toggle quote (19 lines)
> Hi John,
>
> John Kehayias <john.kehayias@protonmail.com> writes:
>
>> I'm not necessarily against it, but this seems only related to yubikey
>> management in general (on Linux), rather than anything specific to Guix.
>> Of course, 'guix shell' is a handy way to do this, I just don't know if
>> this is needed in the cookbook. Then again, I guess the cookbook is a
>> way to build up associated knowledge for Guix, which won't be included
>> directly in the manual.
>
> You are right that it's not specifically related to Guix, but I expects
> users going through setuping a Yubikey on Guix to want to know how to do
> that (I spent months spamming #guix with OTP codes before Ricardo shared
> that tip with me, so it was not easy to discover). The Cookbook as I
> understand it is a loose collection of knowledge of how to do things
> using Guix, and is distinct from the user manual.
>

Sure. I'm not opposed, just wanted to make sure I was clear(ish) on
what goes in there. I'm all for collecting more information to help
out Guix users.

Toggle quote (7 lines)
>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>> before disabling it.
>
> I'm not sure when OTP is useful; it's not useful for the current use
> case I'm using my Yubikey (which is currently the two-factor
> authentication on web sites).

I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
info' to see. I use it as my smart card essentially (as the keys for
passwords, SSH, signing commits, etc.) as well as two-factor codes.

about OTP. If I remember now, it is a service that some sites will use
to use your Yubikey for authentication, as I think LastPass had
support for (I no longer use that). I think U2F is more ubiquitous and
used more now anyway. But it is enabled by default and I would guess
many people don't use it.

John
M
M
Maxim Cournoyer wrote on 8 Aug 2023 16:47
[PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
(address . 64882@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
910f04641befc692ff94aff69cdd200193c69fd1.1691506052.git.maxim.cournoyer@gmail.com
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.

Series-to: 64882@debbugs.gnu.org
Series-version: 2
Series-changes: 2
- Mention alternative using the graphical yubikey-manager-qt application
---
doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

Toggle diff (42 lines)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN

base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
M
M
Maxim Cournoyer wrote on 8 Aug 2023 16:50
[PATCH v2] doc: cookbook: Document how to disable the Yubikey OTP application.
(address . 64882@debbugs.gnu.org)
398929120819ad8639468de1c73835bb9af470ef.1691506232.git.maxim.cournoyer@gmail.com
* doc/guix-cookbook.texi (Using security keys)
<Disabling OTP code generation for a Yubikey>: New subsection.

---

Changes in v2:
- Mention alternative using the graphical yubikey-manager-qt application

doc/guix-cookbook.texi | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

Toggle diff (42 lines)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 2e58c6c795..4d85dee386 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -21,7 +21,7 @@
Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
-Copyright @copyright{} 2022 Maxim Cournoyer@*
+Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
Permission is granted to copy, distribute and/or modify this document
@@ -2022,6 +2022,24 @@ Using security keys
ready to be used with applications supporting two-factor authentication
(2FA).
+@subsection Disabling OTP code generation for a Yubikey
+@cindex disabling yubikey OTP
+If you use a Yubikey security key and are irritated by the spurious OTP
+codes it generates when inadvertently touching the key (e.g. causing you
+to become a spammer in the @samp{#guix} channel when discussing from
+your favorite IRC client!), you can disable it via the following
+@command{ykman} command:
+
+@example
+guix shell python-yubikey-manager -- ykman config usb --force --disable OTP
+@end example
+
+Alternatively, you could use the @command{ykman-gui} command from the
+@code{yubikey-manager-qt} package and either wholly disable the
+@samp{OTP} application from the USB interface or, from the
+@samp{Applications -> OTP} view, delete the configuration of slot 1,
+which comes pre-configured with the Yubico OTP application.
+
@node Connecting to Wireguard VPN
@section Connecting to Wireguard VPN

base-commit: 782ef67a59f4b564f16101cf23c30a3777b3f734
--
2.41.0
M
M
Maxim Cournoyer wrote on 17 Aug 2023 06:05
Re: bug#64882: [PATCH] doc: cookbook: Document how to disable the Yubikey OTP application.
(name . John Kehayias)(address . john.kehayias@protonmail.com)(address . 64882-done@debbugs.gnu.org)
87edk2gvp8.fsf@gmail.com
Hi!

John Kehayias <john.kehayias@protonmail.com> writes:

[...]

Toggle quote (18 lines)
>>> Otherwise, LGTM, but a user should be aware if they are using/needed OTP
>>> before disabling it.
>>
>> I'm not sure when OTP is useful; it's not useful for the current use
>> case I'm using my Yubikey (which is currently the two-factor
>> authentication on web sites).
>
> I checked and I have OTP disabled on my Yubikey as well; I used 'ykman
> info' to see. I use it as my smart card essentially (as the keys for
> passwords, SSH, signing commits, etc.) as well as two-factor codes.
>
> I found this <https://www.yubico.com/resources/glossary/yubico-otp/>
> about OTP. If I remember now, it is a service that some sites will use
> to use your Yubikey for authentication, as I think LastPass had
> support for (I no longer use that). I think U2F is more ubiquitous and
> used more now anyway. But it is enabled by default and I would guess
> many people don't use it.

The yubikey-manager-qt package has since been added, providing a GUI to
do the same, so I've expound the how-to with it, and installed the change.

Thanks for the review!

--
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 64882@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 64882
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch