Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

udev rules to support U2F security keys #53036

Closed
wants to merge 1 commit into from
Closed

udev rules to support U2F security keys #53036

wants to merge 1 commit into from

Conversation

BenBals
Copy link
Contributor

@BenBals BenBals commented Dec 29, 2018

Motivation for this change

Physical security keys like the YubiKey can greatly improve the security of software systems. U2F is an open standard supported by most major internet sites like GitHub, Twitter, Google and others. You can use the physical key just like a normal key. You need to insert it into your computer (most of the time in addition to your password) to login your accounts.

On Linux udev rules are needed to support U2F security keys. Yubico, the makers of the YubiKey, maintain a rules file that supports a number of security keys, namely the following:
Yubikey, Happlink Security Key, HyperSecu HyperFIDO, Feitian ePass FIDO, JaCarta U2F, U2F Zero, VASCO SecureClick, Bluink Key, Thetis Key, Nitrokey FIDO U2F and the Google Titan U2F.

Things done

This package gives nixos users a simple way to install the rules file needed for their security key. All one has to to is add it to the udev packages in the nix configuration:

services.udev.packages = [ pkgs.u2f-udev-rules ];

I have tested this package with the YubiKey 5C and I have verified that the rules file is placed in the correct location, so it should work like the normal place-the-file-here install on other distros.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@markuskowa
Copy link
Member

There is a package libu2f-host, which installs the udev rules. It should be sufficient to add that to your config via services.udev.packages = [ pkgs.libu2f-host ]; to install the necessary udev rules? What would be motivation to add the udev rules as standalone package to nixpkgs?

@BenBals
Copy link
Contributor Author

BenBals commented Dec 29, 2018

You are right! I have gotten my YubiKey for Christmas and spent the last few days trying to set it up. I only figured it out today.

While the other package offers the functionality, I have not been able to find it. I have looked at it now and its description is focused on the C library in whose repo the rules happen to live.

So I suggest we have to separate packages dealing with the different responsibilities or we ought to improve the visibility of the other one for users like me who want to use a security key, not write applications supporting it.

I have made a point in including all supported keys in the long description of the package, so that any search for either one of them will bring up the package. I also believe the name u2f-udev-rules describes what the package does really well and it should be easy to search for.

Either solution would be fine for me, but improving the ease of setup for these devices on nixos is something that matters in my opinion.

@markuskowa
Copy link
Member

I would suggest to only keep the package libu2f-host. This is the way it also handled for other packages that offer udev rules. Splitting it up into separate packages, when the original packages offers the same functionality, just unnecessarily increases the maintenance work.
You wrote a nice longDescription for the package. You can add that to libu2f-host instead.
Another user friendly option would be to provide a nixos module (see nixos/modules/hardware/bladeRF.nix for an example) that takes care of adding the package to services.udev.packages.

@markuskowa
Copy link
Member

@volth thanks, I missed it was already there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants