I want to use qubes-gpg-client instead of the default gpg-agent that comes on ubuntu.
How can I make it such that ssh and other things always use this custom agent instead of the default one?
I'm using Yubikey's U2F feature as a second factor to login on Ubuntu 20.04 as described here: https://support.yubico.com/support/solutions/articles/15000011356-ubuntu-linux-login-guide-u2f
However, I would like to add an extra layer of security and lock users (including me as root) who fail to enter the correct password 10 times in a row. I added in /etc/pam.d/system-auth:
auth required pam_tally2.so deny=10 even_deny_root unlock_time=3600
To check that it's working I performed a sudo echo test which includes entering my password and authenticating with my Yubikey as a second factor. Then ran:
sudo pam_tally2 -u user
Which gave an output something like:
Login Failures Latest failure From
user 1 01/01/01 11:00:00 tty1
Continued testing and found out that every successfull attempt is being logged as a failure by pam_tally2 and I do believe it is because of the Yubikey.
Is there a way to achieve my goal to lock the user who fails entering his credentials on lock screen while preserving my Yubikey as a two factor? Thanks.
When the default apparmor profile for Firefox is set to enforce mode, it blocks access to security keys. Disabling the profile restores access.
Rules that I've tried and failed:
/sys/devices/** r,#include <abstractions/dbus>dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1)
Can someone help me craft rules to allow Firefox access security keys?
kern.log:
Sep 17 19:07:01 user-pc kernel: [21606.295620] usb 7-2: new full-speed USB device number 4 using uhci_hcd
Sep 17 19:07:01 user-pc kernel: [21606.487632] usb 7-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 4.33
Sep 17 19:07:01 user-pc kernel: [21606.487636] usb 7-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Sep 17 19:07:01 user-pc kernel: [21606.487638] usb 7-2: Product: Security Key by Yubico
Sep 17 19:07:01 user-pc kernel: [21606.487639] usb 7-2: Manufacturer: Yubico
Sep 17 19:07:01 user-pc kernel: [21606.495139] hid-generic 0003:1050:0120.0005: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:1d.1-2/input0
Sep 17 19:07:34 user-pc kernel: [21639.275573] audit: type=1400 audit(1568714854.720:331): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=21659 comm="apparmor_parser"
Sep 17 19:07:34 user-pc kernel: [21639.275577] audit: type=1400 audit(1568714854.724:332): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release" pid=21659 comm="apparmor_parser"
Sep 17 19:07:34 user-pc kernel: [21639.275580] audit: type=1400 audit(1568714854.724:333): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" pid=21659 comm="apparmor_parser"
Sep 17 19:07:41 user-pc kernel: [21645.812202] audit: type=1107 audit(1568714861.260:334): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21662 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined"
Sep 17 19:07:41 user-pc kernel: [21645.812202] exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Sep 17 19:07:42 user-pc kernel: [21646.966062] audit: type=1107 audit(1568714862.416:335): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21703 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined"
Sep 17 19:07:42 user-pc kernel: [21646.966062] exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
I just bought a Yubikey 5 NFC and have set it up per their instructions on Ubuntu 19.04. But my preferred use case is to use the key as passwordless option (if it's plugged in; allow access - if it's not; enter password).
I've found some topics on this here and here but both are either not for a Yubikey or not for Ubuntu. And I'm too inexperienced with these things to blindly fiddle with settings as there is a good chance I'd get locked out forever if I do something wrong.
So I know the Yubikey 5 supports passwordless login for Windows, I figure it must be available on Ubuntu somehow, right? Does anyone have a tip for me?
Edit: To give some context to the valid point made below that this setup wouldn't increase security, matter of fact, would lower it: Yes, I know, very true indeed. However in my case I work mostly from my own (secured) home, but am a stickler for very complicated passwords. However it is slowing me down I have to enter a very long password each time my laptop idles too long, so for when I'm at home, I'd like to be able to use just the key, and if I'm away, leave the key at home and just use a password.
Edit2: Thanks to hackerb9's answer and running through the Yubico install steps again I got it to work.
Essentially all I did different was to add auth sufficient pam_u2f.so to both /etc/pam.d/gdm-password and /etc/pam.d/sudo instead of @include common-u2f (which would result in auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue).
So essentially just removed authfile=/etc/u2f_mappings cue did the trick. I'm not 100% sure but I think this is due a 'setup conflict' as I set up the key before attempting this.
The official Yubico guide only covers enabling it for GDM login, how can I enable it for all logins including TTY, ssh, sudo, etc?