[PATCH 0/2] cookbook: Document the configuration of a Yubikey with KeePassXC

Maxim Cournoyer wrote on 17 Aug 2023 16:37

Recipients:

Message-ID:cover.1692282998.git.maxim.cournoyer@gmail.com

Maxim Cournoyer (2):

gnu: yubikey-personalization: Mention udev rules file in description.

doc: cookbook: Document the configuration of a Yubikey with KeePassXC.

doc/guix-cookbook.texi | 44 +++++++++++++++++++++++++++++++++

gnu/packages/security-token.scm | 5 +++-

2 files changed, 48 insertions(+), 1 deletion(-)

base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38

2.41.0

Maxim Cournoyer wrote on 17 Aug 2023 16:42

[PATCH 1/2] gnu: yubikey-personalization: Mention udev rules file in description.

Recipients:(address . 65354@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)

Message-ID:7fb2ab34337fa470c23e6d1a8ddeed8e2fa98b61.1692283338.git.maxim.cournoyer@gmail.com

* gnu/packages/security-token.scm (yubikey-personalization)

[description]: Expound with information regarding the udev rules file the

package contains.

---

gnu/packages/security-token.scm | 5 ++++-

1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (20 lines)diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 3a0ed245ad..babc10aa7d 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -460,7 +460,10 @@ (define-public yubikey-personalization
     (description
      "The YubiKey Personalization package contains a C library and command
 line tools for personalizing YubiKeys.  You can use these to set an AES key,
-retrieve a YubiKey's serial number, and so forth.")
+retrieve a YubiKey's serial number, and so forth.  It also provides the
+@file{69-yubikey.rules} udev rules file, which allows console users to access
+the Yubikey USB device node, which is needed for the challenge/response
+@acronym{OTP, One-Time Password} application used by KeePassXC, for example.")
     (license license:bsd-2)))
 
 (define-public python-pyscard

base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38
-- 
2.41.0

Maxim Cournoyer wrote on 17 Aug 2023 16:42

[PATCH 2/2] doc: cookbook: Document the configuration of a Yubikey with KeePassXC.

Recipients:(address . 65354@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)

Message-ID:5704de4654bb878f397c2435473a8ec58b268108.1692283338.git.maxim.cournoyer@gmail.com

* doc/guix-cookbook.texi (Using security keys)

[Requiring a Yubikey to open a KeePassXC database]: New subsection.

---

doc/guix-cookbook.texi | 44 ++++++++++++++++++++++++++++++++++++++++++

1 file changed, 44 insertions(+)

Toggle diff (57 lines)diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 87430b741a..e5ed707450 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2152,6 +2152,50 @@ Using security keys
 @samp{Applications -> OTP} view, delete the slot 1 configuration, which
 comes pre-configured with the Yubico OTP application.
 
+@subsection Requiring a Yubikey to open a KeePassXC database
+@cindex yubikey, keepassxc integration
+The KeePassXC password manager application has support for Yubikeys, but
+it requires installing a udev rules for your Guix System and some
+configuration of the Yubico OTP application on the key.
+
+The necessary udev rules file comes from the
+@code{yubikey-personalization} package, and can be installed like:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (services
+  (cons*
+   ...
+   (udev-rules-service 'yubikey yubikey-personalization))))
+@end lisp
+
+After reconfiguring your system (and reconnecting your Yubikey), you'll
+then want to configure the OTP challenge/response application of your
+Yubikey on its slot 2, which is what KeePassXC uses.  It's easy to do so
+via the Yubikey Manager configuration tool, which can be invoked with:
+
+@example
+guix shell yubikey-manager-qt -- ykman-gui
+@end example
+
+First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab,
+then navigate to @samp{Applications -> OTP}, and click the
+@samp{Configure} button under the @samp{Long Touch (Slot 2)} section.
+Select @samp{Challenge-response}, input or generate a secret key, and
+click the @samp{Finish} button.  If you have a second Yubikey you'd like
+to use as a backup, you should configure it the same way, using the
+@emph{same} secret key.
+
+Your Yubikey should now be detected by KeePassXC.  It can be added to a
+database by navigating to KeePassXC's @samp{Database -> Database
+Security...}  menu, then clicking the @samp{Add additional
+protection...} button, then @samp{Add Challenge-Response}, selecting the
+security key from the drop-down menu and clicking the @samp{OK} button
+to complete the setup.
+
 @node Dynamic DNS mcron job
 @section Dynamic DNS mcron job
 
-- 
2.41.0

Maxim Cournoyer wrote on 1 Sep 2023 17:12

control message for bug #65354

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87sf7y0vx9.fsf@gmail.com

close 65354

quit

Your comment

This issue is archived.

To comment on this conversation send an email to 65354@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date