Yubikey support

Would be cool to be able to login the phone with a HW key. And while i am 90% sure this can be done if you compile/install and configure the appropriate packages doing it from the Settings would be nice.

Its an OS that advertises security after all :slightly_smiling_face:

5 Likes

You can in the browser!
Just activate u2fsomething in the about:config.
Edit: it think it is ‘security.webauth.u2f’

BTW: I was trying to get GitHub - Yubico/yubikey-manager: Python library and command line tool for configuring any YubiKey over all USB interfaces. packed into chum. But I was lost in dependencies (and I’m very inexperienced in packaging.) That would be very nice to have on the phone, then we could use the OATH as well and probably build a GUI for it.

EDIT2: Somehow I think I missed your question. You do not want to login to something in the browser or whatever with the key, but you want to log in to SFOS with the Key! Yeah, that would be nice, too!

3 Likes

Basically i want everything that you can do with a Yubikey. Or the Solo ones.

1 Like

As of my own interest I was trying to get yubikey-manager, a cli interface to the yubikey, running on Sailfish to e. g. create OATH passwords.
It is working with some packages installed and then pip install it. I made a lot of progress with the help of @rinigus. But now I have no clue how to package the python stuff as well, so that I can make it available in sailfishos:chum finally and most likely try to write a GUI around it.

So: If anyone can help me with some hints on how to package the python package yubikey-manager correctly i would love to get some support here or on the corresponding github issue: Package wish: Yubikey-Manager · Issue #13 · sailfishos-chum/main · GitHub. As said, I’m already able to get it running with pip.

Instead of a separate app it would be better if it was integrated with the settings somehow.

But how would you integrate e. g. OATH/TOTP or similar functions in the settings? This always is some kind of an App, isn’t it?
So what would fit the settings is something with respect to login. But which of the other YubiKey features would you love to see there?

So, in exchange for some help with the packaging, i could in the end offer a GUI for getting OATH Keys from the YubiKey on Sailfish. Proof of Concept is attached :stuck_out_tongue_winking_eye:. At the moment the installation of all packages is a kind of a to big effort for average users and after every reboot the pcscd.service has to be restarted, as I don’t know how to tell the pcsc lite package to hook in there after installation correctly.

For curious hackers: Code, Packages. Details are in the GitHub Issue linked above. Help, of course, is also welcome. Once again: you need to install a lot manual before the App can work at the moment - so it is really less than a alpha version now!


3 Likes

@fridlmue did you also manage to get the phone to unlock with a yubikey or you just did the OATH stuff?

This is only for the OATH-Stuff (and I got U2F running in the Browser, as already mentioned). As you suggested, the device unlock should be a System-Settings feature. And I never played around with it on the desktop, so I have no clue how to get things build up for that.

I suspect it will be something with pam but which and why and where i have no idea. And probably it will need some sort of NFC magic along with USB.

Also the u2f browser thing can be an option in the Settings. Ie an allow switch.

Anyway.