Yubikey support

Would be cool to be able to login the phone with a HW key. And while i am 90% sure this can be done if you compile/install and configure the appropriate packages doing it from the Settings would be nice.

Its an OS that advertises security after all :slightly_smiling_face:

5 Likes

You can in the browser!
Just activate u2fsomething in the about:config.
Edit: it think it is ā€˜security.webauth.u2fā€™

BTW: I was trying to get GitHub - Yubico/yubikey-manager: Python library and command line tool for configuring any YubiKey over all USB interfaces. packed into chum. But I was lost in dependencies (and Iā€™m very inexperienced in packaging.) That would be very nice to have on the phone, then we could use the OATH as well and probably build a GUI for it.

EDIT2: Somehow I think I missed your question. You do not want to login to something in the browser or whatever with the key, but you want to log in to SFOS with the Key! Yeah, that would be nice, too!

4 Likes

Basically i want everything that you can do with a Yubikey. Or the Solo ones.

2 Likes

As of my own interest I was trying to get yubikey-manager, a cli interface to the yubikey, running on Sailfish to e. g. create OATH passwords.
It is working with some packages installed and then pip install it. I made a lot of progress with the help of @rinigus. But now I have no clue how to package the python stuff as well, so that I can make it available in sailfishos:chum finally and most likely try to write a GUI around it.

So: If anyone can help me with some hints on how to package the python package yubikey-manager correctly i would love to get some support here or on the corresponding github issue: Package wish: Yubikey-Manager Ā· Issue #13 Ā· sailfishos-chum/main Ā· GitHub. As said, Iā€™m already able to get it running with pip.

Instead of a separate app it would be better if it was integrated with the settings somehow.

But how would you integrate e. g. OATH/TOTP or similar functions in the settings? This always is some kind of an App, isnā€™t it?
So what would fit the settings is something with respect to login. But which of the other YubiKey features would you love to see there?

So, in exchange for some help with the packaging, i could in the end offer a GUI for getting OATH Keys from the YubiKey on Sailfish. Proof of Concept is attached :stuck_out_tongue_winking_eye:. At the moment the installation of all packages is a kind of a to big effort for average users and after every reboot the pcscd.service has to be restarted, as I donā€™t know how to tell the pcsc lite package to hook in there after installation correctly.

For curious hackers: Code, Packages. Details are in the GitHub Issue linked above. Help, of course, is also welcome. Once again: you need to install a lot manual before the App can work at the moment - so it is really less than a alpha version now!


5 Likes

@fridlmue did you also manage to get the phone to unlock with a yubikey or you just did the OATH stuff?

This is only for the OATH-Stuff (and I got U2F running in the Browser, as already mentioned). As you suggested, the device unlock should be a System-Settings feature. And I never played around with it on the desktop, so I have no clue how to get things build up for that.

I suspect it will be something with pam but which and why and where i have no idea. And probably it will need some sort of NFC magic along with USB.

Also the u2f browser thing can be an option in the Settings. Ie an allow switch.

Anyway.

How does yubikey work with a VPN? Is there any glitches or is it not supported at all? I just often use wpn, so I was wondering how these guys would interact

Just curious if you had gotten any further? I havenā€™t done any testing yet, but looking at https://github.com/sailfishos/python3-imaging/ , for instance, could see that Jolla had used submodules to build Pillow. I was about to do that when I just found it :wink: So I didnā€™t go further. I saw that you have the yubikey and [python3-pyscard ] in the chum reposā€¦

Yes, but last time I looked into I had some trouble to get the .spec files in order to compile correctly. I got the tool chain running with the manually uploading the tar files to obs, but in fact I would love to get them in CHUM the ā€œtar_git-wayā€. For some I got it running, but for some I didnā€™t - there should be a issue in the according repos if i remember correctly.

The affected packages are listed here: https://github.com/sailfishos-chum/main/issues/13#issuecomment-945081148

I hope to find time soon to continue and gather the knowledge and insights to fix the full chain in CHUM!

And at last I have no clue what happens, when SailJail gets enforcedā€¦ :confused:

Ok, Iā€™ll go through the ticket again (I read over it quickly yesterday).

I think the sailjail strictures will basically kill it unless the libraries make it into jollaā€™s core. I see that happening but no idea when. They did recently, for instance for my use cases with ffmpeg, allow sailjail apps to use ffmpeg. We should definitely ask about this. Damn. Maybe community on the 20th of Sept.?

In any case, Iā€™ve just set up some yubikeys for company use and can imagine it being useful to have an app on hand ā€¦

There is indeed 2FA pam, libpam-u2f, and libpam-yubico ā€¦ I have it on work laptops.

I have to correct myself. It look like I did not add Issues to most of the packages where I was not able to get it working like i wanted. Iā€™ll check that out again and add some notes soonā„¢.

2 Likes

Vanha Rauma Release adds:
ā€œSupport for detecting YubiKey authentication over USB devices added, no feature support on the Sailfish OS currently though.ā€

I am also a candidate who wants to use an USB-C Yubikey on the phone.

Does this help for an implementation?

U2F (for example with Nextcloud) just works with the stock browser on my 10 II out of the box with the current releases. With the Packaging on Chum for the OATH I did not proceed (due to no time for gathering the needed knowledgeā€¦)

which stick are u using?

and this one with adapter: USB-A YubiKey 5 NFC Two Factor Security Key | Yubico

But I use it plugged, not with nfc.

What Iā€™m not sure about, if i think about it, if security.webauth.u2f by default is activated in about:config of the stock browser.