knowledge
/
YubiKey-Guide
mirror of https://github.com/drduh/YubiKey-Guide.git
1
0
Fork 0
Code Issues Releases Activity
518 Commits 1 Branch 0 Tags 1.1 MiB
Commit Graph

518 Commits

Author SHA1 Message Date
drduh db35f7622d Replace reset PIN with date, keyid, serial fields in passphrase templates 2024-03-24 10:57:15 -07:00
drduh 197b92d098 Remove NEO (discontinued in 2018), sort troubleshooting 2024-03-24 10:08:30 -07:00
drduh 90292fe553 Update LUKS link, make commands consistent, more passphrase guidance 2024-03-24 09:47:01 -07:00
drduh 5a4884685d Optional hardening section, additional validation steps 2024-03-24 08:11:10 -07:00
drduh aa81e0fc80
Merge pull request #427 from wstephenson/master 
Fix typo in date command
 2024-03-20 16:33:10 +00:00
Will Stephenson 953bac8739 Fix typo in date command 2024-03-19 22:17:40 +01:00
drduh a7aa09bc80
Merge pull request #426 from drduh/wip-17mar24 
Add plaintext passphrase template
 2024-03-18 01:37:54 +00:00
drduh 30d5f3905f Add command-line passphrase template 2024-03-17 18:34:53 -07:00
drduh c97c9ac4c1
Merge pull request #425 from drduh/wip-16mar24 
Simplify instructions, reduce manual labor
 2024-03-18 00:39:46 +00:00
drduh 7a1039ab08 Replace mkdir commands 2024-03-17 17:28:53 -07:00
drduh 6272fc4181 Install yubikey-manager directly on Debian 2024-03-17 17:22:15 -07:00
drduh a0fa35cf11 Simplify and automate fdisk commands 2024-03-17 17:04:48 -07:00
drduh ac8ff82085 Stick with 6/8 digit PINs 2024-03-17 11:53:37 -07:00
drduh 38a6c057aa Remove obsolete stuff, clean up intro 2024-03-17 10:16:32 -07:00
drduh 228ff7c7ca Move keyserver instructions to later, more batch commands 2024-03-17 09:43:11 -07:00
drduh a1081d20ac Automate PIN and card operations 2024-03-16 21:43:21 -07:00
drduh b2959d075b Simplify instructions, reduce manual labor 2024-03-16 19:35:04 -07:00
drduh 12b232d28f
Merge pull request #423 from Xronophobe/fix/quick-add-key-with-fpr 
update gpg --quick-add-key commands
 2024-03-11 16:10:32 +00:00
drduh 3d01237c02
Merge pull request #424 from drduh/wip-10mar24 
Address restriction on subkey
 2024-03-10 21:24:42 +00:00
drduh c1b556c7c5 formatting fix 2024-03-10 14:22:32 -07:00
drduh f0a0801a51 Workaround for Authenticate key issue 2024-03-10 14:20:00 -07:00
Csanad Beres 623a60cc83 update gpg --quick-add-key commands 
it seems to be only accepting fingerprints and rejecting key ID-s
 2024-03-07 15:17:14 +01:00
drduh 53ed405cef
Merge pull request #420 from drduh/fix-metadata 
fix batch metadata
 2024-02-12 19:41:43 +00:00
drduh e0880c0adc fix batch metadata 2024-02-12 11:41:06 -08:00
drduh 17ca4d058a
Merge pull request #419 from drduh/wip-12feb24 
12feb24
 2024-02-12 19:35:14 +00:00
drduh 07e0fe71fd few more standard terms 2024-02-12 11:32:26 -08:00
drduh 678e779b1f typo 2024-02-12 11:28:49 -08:00
drduh 6e19ae4cc4 few more style nits 2024-02-12 11:24:27 -08:00
drduh 29563423c1 explicit keytocard instructions 2024-02-12 11:03:26 -08:00
drduh 0b24d77c18 simplify batch instructions 2024-02-12 10:51:55 -08:00
drduh ca052604c3 standard names for subkeys 2024-02-12 10:45:38 -08:00
drduh 00708879da
Merge pull request #418 from drduh/wip-12feb24 
remove yubikey as rng
 2024-02-12 18:05:48 +00:00
drduh 8e914a3a60 remove yubikey as rng 2024-02-12 10:02:58 -08:00
drduh 457fc80f8c
Merge pull request #417 from drduh/wip-11feb24 
11feb24
 2024-02-12 17:35:22 +00:00
drduh d6848d5440 remove multiple hosts 2024-02-12 09:33:22 -08:00
drduh 92d4212019 more grammar 2024-02-11 22:19:52 -08:00
drduh c69295975c few more cleanups 2024-02-11 21:48:35 -08:00
drduh c6052c9028 simplify console output, use generic info 2024-02-11 21:09:11 -08:00
drduh fbd7008a16 more grammar and formatting 2024-02-11 17:43:45 -08:00
drduh 152f7fb262 grammar and style 2024-02-11 15:37:31 -08:00
drduh cfe0fa282d grammar and standardize storage terminology 2024-02-11 13:56:32 -08:00
drduh 24ca007315 standardize Certify/Subkeys, easier command copy, organize links 2024-02-11 12:36:47 -08:00
drduh c0b4ca6f78
Merge pull request #416 from Paraphraser/20240210-disable-ccid-master 
add step to set `disable-ccid` in `scdaemon.conf`
 2024-02-11 02:34:37 +00:00
Phill Kelley 5c3a4e8b18
fix rookie mistake 
Add a one-liner that works. Then think about the context and decide to
recommend a rearrangement. And then muck up the consequential adjustment
of the original one-liner. I think I got a badge for that in the scouts.

Well spotted. Sorry.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
 2024-02-11 09:32:04 +11:00
drduh b2d55a80de
Merge pull request #408 from jpickwell/patch-1 
Quote Debian Live ISO URL, and add $ to AWK RegExp.
 2024-02-10 17:21:32 +00:00
drduh db9316a8ce
Merge pull request #411 from motiejus/motiejus-flake 
NixOS Live Image: convert to a flake
 2024-02-10 17:21:06 +00:00
drduh 87cb057de5
Merge pull request #414 from colingrady/genuine_link 
Update link to genuine device check info
 2024-02-10 17:19:41 +00:00
Phill Kelley f8fcb0c2d1
add step to set `disable-ccid` in `scdaemon.conf` 
Issue #404 reports "GPG acts like my YubiKey isn't plugged in".

With GnuPG 2.3 and later, the system can get into a loop where it
prompts for insertion of a YubiKey even though that YubiKey is already
connected.

The solution for this is to set `disable-ccid` in
`~/.gnupg/scdaemon.conf`.

Testing suggests setting `disable-ccid` does not interfere with earlier
versions of GnuPG (eg 2.2.27 on Debian Bullseye or 2.2.40 on Debian
Bookworm).

This problem has also been mentioned in #277 and #256. Including a step
in the Guide to set `disable-ccid` may help minimise recurrence.

Also takes the opportunity to ensure `~/.gnupg` directory exists on a
new system before downloading `gpg.conf`.

References:

* Ludovic Rousseau

	- [GnuPG and PC/SC conflicts](https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html)

* GnuPG.org:

	- [Scdaemon Options](https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Options.html#index-disable_002dccid)

* YubiCo:

	- [Resolving GPG's CCID conflicts](https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts)
	- [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG)

* Closed issues:

	- [277 pcscd: Error Reader Exclusive](https://github.com/drduh/YubiKey-Guide/issues/277)
	- [256 Update scdaemon.conf for gnupg 2.3 with MacOS (and possibly others)](https://github.com/drduh/YubiKey-Guide/issues/256)

Fixes #404

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
 2024-02-10 14:11:33 +11:00
Motiejus Jakštys 84c9d9654d NixOS Live Image: convert to a flake 
Now `nixpkgs` will be pointing to a specific release, which has a much
smaller chance to unexpectedly break. Currently 23.11. The next one will
be 24.05, 24.11, etc.

NixOS *releases* receive security updates, but packages are upgraded
conservatively, thus don't generally break. As a result, we should need
to worry about NixOS upgrades every 6-12 months. The upgrade means "bump
the version number and try to build it". If it breaks, it will generally
break only then. Less reactive, more proactive surprises.

`flake.nix` was written by @thomaseizinger in
https://github.com/drduh/YubiKey-Guide/issues/406. Changes from the
original:
- change Gnome to xfce. Now it loads with 384MB of RAM and works well
  with the simplest graphics (hello qemu).
- less nasty workaround for hopenpgp-tools. Fixed upstream
  (https://github.com/NixOS/nixpkgs/pull/279117).
- do not default `copytoram`, user can select this option in the
  bootloader.

Here is how to test it:

```
$ nix run .#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.vm
```

*Note for the maintainer*: it would be great if you could occasionally
run `nix flake update --commit-lock-file`, *especially* after updating
github.com/drduh/config.git.

Fixes #406

Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
 2024-02-04 14:03:54 +02:00
Colin Grady 80a90f8813 Update link to genuine device check info 2024-01-25 08:28:01 -07:00