Apparently there is also pam_u2f as alternative to pam_yubico which is a
more general approach using the open FIDO2 / U2F standard. It's much
easier to setup as there are fewer possibilities and decisions to make.
This approach also supports more security keys like SoloKey v2 and
NitroKey 2/3 which could open possibility to create a dedicated security
key page for general key support in Fedora Linux.
The instructions to register a key with the local account were
implicitly requiring challenge-response. Add the YubiCloud method based
instructions and also add an explicit command to configure
challenge-response in slot 2 of a key.
The man page of ykpersonalize uses a confusing format for providing
option flags. After tests although not documented in the man page it is
also possible to use an alternative format using spaces between option
flag and value. Also to note: the negative form of an option flag uses a
'-' symbol right in front of the value.
Also the slot selector -1 or -2 has to be supplied before any option
flag.
The access to the ~/.yubico directory is done using the PAM module, not
sshd directly. PAM sets the context of that directory to auth_home_t
which PAM is allowed to access. No need to set the context to
ssh_home_t.
Apart from that using chcon is a volatile operation and not intended for
persistent changes which was the intent of the note though. The label
would be reset in a system recovery scenario.
This is my first commit so please correct me if there's something wrong here or feel free to change my wording, but I believe Fedora Workstation now disables the root account by default and instead adds the default user to the 'wheel' group.
Changed the structure and content of the section to reflect more modern
tooling available in recent Fedora Linux distributions.
Simplified overall structure and added challenge-response configuration.
Removed the more complicated authfile option as it is an option for more
advanced use-cases but not necessary for a basic setup. More advanced
users may refer to the pam_yubico man page.
Added a warning about locking yourself out when using required
configuration.
There are a couple of methods to install a certificate into the trust
store: using "trust anchor" or copying the file to
/etc/pki/ca-trust/source/anchors/. The former is simpler and more
flexible as it doesn't require update-ca-trust and the installed
certificates can be removed with "trust anchor --remove".
For more context, see:
https://bugzilla.redhat.com/show_bug.cgi?id=2163554
Signed-off-by: Daiki Ueno <dueno@redhat.com>