{{tag>Brouillon Sécurité MFA}}

= Notes Yubikey MFA U2F FIDO

Voir : 
* 2FA MFA U2F WebAuthn
* https://github.com/drduh/YubiKey-Guide

Faille :
* https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

FIDO2 :
* https://thephp.cc/presentations/2019-international-php-conference-spring-edition-the-future-of-authentication-webauthn-with-php.pdf

<code ->
# dmesg 
[ 4283.840605] usb 4-2: new full-speed USB device number 10 using ohci-pci
[ 4284.041632] usb 4-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.27
[ 4284.041647] usb 4-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 4284.041653] usb 4-2: Product: Security Key by Yubico
[ 4284.041657] usb 4-2: Manufacturer: Yubico
[ 4284.048451] hid-generic 0003:1050:0120.0009: hiddev0,hidraw0: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:12.0-2/input0
</code>


<code ->
$ lsusb |grep -i yubi
Bus 003 Device 007: ID 1050:0120 Yubico.com Yubikey Touch U2F Security Key

$ ykman mode 
Current connection mode is: FIDO
Supported USB interfaces are: FIDO
</code>


<code bash>
sudo apt-get install yubikey-manager
</code>

<code ->
$ ykman list
Security Key by Yubico [FIDO]

$ ykman info
Device type: Security Key NFC
Serial number: Not set or unreadable
Firmware version: 5.2.7
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO
NFC interface is enabled.

Applications    USB             NFC          
OTP             Not available   Not available
FIDO U2F        Enabled         Enabled      
OpenPGP         Not available   Not available
PIV             Not available   Not available
OATH            Not available   Not available
FIDO2           Enabled         Enabled  
</code>

Configure le PIN
<code bash>
ykman fido set-pin
</code>

Reset PIN
<code bash>
ykman fido set-pin
</code>


Désactiver le NFS
<code bash>
ykman config nfc --disable-all
</code>

Pour vérifier
<code bash>
ykman info
</code>


ykman otp settings --no-enter 1

== Pb

=== Ne fonctionne pas chez moi 

Debian 10
avec la clef ''Yubikey Touch U2F Security Key'' 

<code ->
$ sudo apt-get install yubikey-personalization
$ ykinfo -a
Yubikey core error: no yubikey present
</code>

Ainsi que le paquet apt-get install ''yubikey-personalization-gui''

== Config

Nécessaire ?

Using Your U2F YubiKey with Linux 
Source : https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-U2F-YubiKey-with-Linux

<code bash>
curl https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules |sudo tee /etc/udev/rules.d/70-u2f.rules
</code>


=== Debian - Config PAM

Source https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F


<code bash>
sudo apt-get install pamu2fcfg
</code>

<code ->
$ pamu2fcfg
Enter PIN for /dev/hidraw0: 
error: fido_dev_make_cred (58) FIDO_ERR_ACTION_TIMEOUT
</code>

L'erreur ''FIDO_ERR_ACTION_TIMEOUT'' est due au fait que je n'avais pas appuyé rapidement sur le bouton de la clef.


Avec la 1ere clef
<code bash>
pamu2fcfg > ~/.config/Yubico/u2f_keys
</code>

Nous déconnectons la clef, puis nous insérons notre 2eme clef. C'est une clef de secoure.
<code bash>
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
</code>

<code bash>
sudo apt-get install libpam-u2f
</code>

La config de PAM consiste à ajouter la ligne ci-dessous à ''@include common-auth'' :
<code ->
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log
</code>

Protection Sudo
<code - /etc/pam.d/sudo>
#%PAM-1.0

@include common-auth

# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

@include common-account
@include common-session-noninteractive
</code>

<code - /etc/pam.d/sudo-i>
#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

@include common-auth
# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

@include common-account
@include common-session
</code>

Protection accès interface graphique
<code - /etc/pam.d/gdm-password>
@include common-auth

# For YubiKey add line :
auth    required        pam_u2f.so      # debug debug_file=/var/log/pam_u2f.log
</code>

<code - /etc/pam.d/sddm>
#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale and ~/.pam_environment
session required        pam_env.so envfile=/etc/default/locale user_readenv=1
</code>

Protection accès TTY
<code - /etc/pam.d/login>
@include common-auth
# For YubiKey add line :
auth         required   pam_u2f.so      # debug debug_file=/var/log/pam_u2f.log
</code>

== Autres

<code bash>
sudo apt-get install libccid pcscd
</code>

<code bash>
sudo systemctl status pcscd
</code>