[PATCH 0/2] cookbook: Document the configuration of a Yubikey with KeePassXC

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 17 Aug 2023 16:37
cover.1692282998.git.maxim.cournoyer@gmail.com
Maxim Cournoyer (2):
gnu: yubikey-personalization: Mention udev rules file in description.
doc: cookbook: Document the configuration of a Yubikey with KeePassXC.

doc/guix-cookbook.texi | 44 +++++++++++++++++++++++++++++++++
gnu/packages/security-token.scm | 5 +++-
2 files changed, 48 insertions(+), 1 deletion(-)


base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38
--
2.41.0
M
M
Maxim Cournoyer wrote on 17 Aug 2023 16:42
[PATCH 1/2] gnu: yubikey-personalization: Mention udev rules file in description.
(address . 65354@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
7fb2ab34337fa470c23e6d1a8ddeed8e2fa98b61.1692283338.git.maxim.cournoyer@gmail.com
* gnu/packages/security-token.scm (yubikey-personalization)
[description]: Expound with information regarding the udev rules file the
package contains.
---

gnu/packages/security-token.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (20 lines)
diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 3a0ed245ad..babc10aa7d 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -460,7 +460,10 @@ (define-public yubikey-personalization
(description
"The YubiKey Personalization package contains a C library and command
line tools for personalizing YubiKeys. You can use these to set an AES key,
-retrieve a YubiKey's serial number, and so forth.")
+retrieve a YubiKey's serial number, and so forth. It also provides the
+@file{69-yubikey.rules} udev rules file, which allows console users to access
+the Yubikey USB device node, which is needed for the challenge/response
+@acronym{OTP, One-Time Password} application used by KeePassXC, for example.")
(license license:bsd-2)))
(define-public python-pyscard

base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38
--
2.41.0
M
M
Maxim Cournoyer wrote on 17 Aug 2023 16:42
[PATCH 2/2] doc: cookbook: Document the configuration of a Yubikey with KeePassXC.
(address . 65354@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
5704de4654bb878f397c2435473a8ec58b268108.1692283338.git.maxim.cournoyer@gmail.com
* doc/guix-cookbook.texi (Using security keys)
[Requiring a Yubikey to open a KeePassXC database]: New subsection.

---

doc/guix-cookbook.texi | 44 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)

Toggle diff (57 lines)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 87430b741a..e5ed707450 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2152,6 +2152,50 @@ Using security keys
@samp{Applications -> OTP} view, delete the slot 1 configuration, which
comes pre-configured with the Yubico OTP application.
+@subsection Requiring a Yubikey to open a KeePassXC database
+@cindex yubikey, keepassxc integration
+The KeePassXC password manager application has support for Yubikeys, but
+it requires installing a udev rules for your Guix System and some
+configuration of the Yubico OTP application on the key.
+
+The necessary udev rules file comes from the
+@code{yubikey-personalization} package, and can be installed like:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (services
+ (cons*
+ ...
+ (udev-rules-service 'yubikey yubikey-personalization))))
+@end lisp
+
+After reconfiguring your system (and reconnecting your Yubikey), you'll
+then want to configure the OTP challenge/response application of your
+Yubikey on its slot 2, which is what KeePassXC uses. It's easy to do so
+via the Yubikey Manager configuration tool, which can be invoked with:
+
+@example
+guix shell yubikey-manager-qt -- ykman-gui
+@end example
+
+First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab,
+then navigate to @samp{Applications -> OTP}, and click the
+@samp{Configure} button under the @samp{Long Touch (Slot 2)} section.
+Select @samp{Challenge-response}, input or generate a secret key, and
+click the @samp{Finish} button. If you have a second Yubikey you'd like
+to use as a backup, you should configure it the same way, using the
+@emph{same} secret key.
+
+Your Yubikey should now be detected by KeePassXC. It can be added to a
+database by navigating to KeePassXC's @samp{Database -> Database
+Security...} menu, then clicking the @samp{Add additional
+protection...} button, then @samp{Add Challenge-Response}, selecting the
+security key from the drop-down menu and clicking the @samp{OK} button
+to complete the setup.
+
@node Dynamic DNS mcron job
@section Dynamic DNS mcron job
--
2.41.0
M
M
Maxim Cournoyer wrote on 1 Sep 2023 17:12
control message for bug #65354
(address . control@debbugs.gnu.org)
87sf7y0vx9.fsf@gmail.com
close 65354
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 65354@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 65354
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch