Resilience Theatre

Personal projects for resilience

User Tools

Site Tools


fido2:introduction

FIDO2 setup

Notes how FIDO2 key can be setup with Fedora linux workstation

Install fido2-tools package:

sudo dnf install -y fido2-tools

Set pin for FIDO2 token (optional) 1):

fido2-token -S /dev/hidraw1

To change pin:

fido2-token -C /dev/hidraw1

It seems that you need to reset Feitian key always before enrolling it to LUKS.

# fido2-token -L
/dev/hidraw1: vendor=0x096e, product=0x0854 (FT FIDO KB)
# Plug FIDO2 token and within five second run:
fido2-token -R /dev/hidraw1

LUKS disk encryption

Fedora

Setting up FIDO2 for luks encryption. 2) Here /dev/sda3 is LUKS partition of freshly installed Fedora 37 workstation. Use lsblk to check yours. In this example user PIN and presence touch is disabled, so computer boots and opens LUKS partition as long as key is inserted.

First enroll recovery-key (and note it down):

sudo systemd-cryptenroll --recovery-key /dev/sda3

Plug in your FIDO2 token and enroll it to LUKS:

sudo -i
cryptsetup luksDump /dev/sda3
systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=false --fido2-with-user-presence=false /dev/sda3
๐Ÿ” Please enter current passphrase for disk /dev/sda3: ************            
Initializing FIDO2 credential on security token.
๐Ÿ‘† (Hint: This might require confirmation of user presence on security token.)
๐Ÿ” Please enter security token PIN: ****                    
Generating secret key on FIDO2 security token.
๐Ÿ‘† In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.

You can check result with:

cryptsetup luksDump /dev/sda3

Modify /etc/cryptab (as root):

# nano /etc/crypttab 
luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx - fido2-device=auto

Regenerate initramfs:

dracut --regenerate-all --force

Optionally you can delete LUKS password:

cryptsetup -v luksRemoveKey /dev/sda3

Debian 12

:!: Be careful, this might lead to non bootable system. You've been warned!

First reset FIDO2 token and enable pin code for it.

# Install dracut
apt install dracut
apt purge cryptsetup-initramfs && apt autoremove --purge
echo "hostonly=yes" > /etc/dracut.conf.d/10-hostonly.conf
dracut -f
# Reboot to test
reboot

# Enroll your FIDO2 device to unlock Luks volume
apt install fido2-tools
nano /etc/crypttab
# Change the line:
# vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard
# to:
# vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard,fido2-device=auto
# Update initrd to include FIDO2 tools and updated /etc/crypttab
dracut -f
# Plug your FIDO2 device
systemd-cryptenroll --fido2-device=list
# Check your FIDO2 device is listed
systemd-cryptenroll --fido2-device=auto /dev/vda5
# Test if everything works
reboot

gdm login

Note that this requires U2F capable FIDO2 key. This page is based Nitrokey documentation 3).

If you use Nitro key, you might install udev-rules. This step is not required for gdm login and sudo to work.

cd /etc/udev/rules.d/
sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo udevadm control --reload-rules && sudo udevadm trigger

Install packages

sudo dnf install pam-u2f pamu2fcfg

Insert Nitrokey

mkdir ~/.config/Nitrokey
sudo pamu2fcfg > ~/.config/Nitrokey/u2f_keys

# Touch nitrokey
sudo mv ~/.config/Nitrokey /etc

Check content of u2f_keys, it need to have your username at the beginning of line, pamu2fcfg with sudo above leaves with root.

sudo nano /etc/Nitrokey/u2f_keys

gdm login and sudo authentication with fido2 key

Edit /etc/pam.d/gdm-password and add second line:

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth    sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok

Edit file /etc/pam.d/sudo and add:

#%PAM-1.0
auth    sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok
fido2/introduction.txt ยท Last modified: 2024/06/18 04:39 by admin

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki