Security and Safety

There’s something on my mind that’s been going on for a while. Well, another something going on in y mind.
And it’s about security and/or safety and how those concepts are used today. Or how they’ve been twisted. So, let’s start with what I mean by those terms. They’re often used as synonym for each other, but I keep thinking that they’re not meant to be.

Security, as I see it – at least in the uncountable use – is a concept related to peace of mind (even the latin form securitas is about peace of mind). It means it’s something you do not have to pay attention because it cannot hurt you. I think it’s linked to avoiding accident and incident, to put the potential cause of accident away. That’s the reason we have more and more automated features in cars, like ABS or ESC, who tries to manage traction for you to not care about traction loss (and control loss). They’re meant to avoid accident. Or to significantly reduce your exposure to the risk of an accident. Those are called securities for a reason, they make you able to feel secure while you drive half a ton of metal and plastic at high speed along other people doing the same thing while hopping no-one will fail to avoid collision with each others.
Peace of mind requires to reduce or negates the perceived risks to work. You must been aware that you were exposed to risk and then to be aware of something which allow you to think that perceived risk has been acted upon and that you’re now able to stop being worried about it. Feeling secure is something deeply rooted in most of animals, it meant to have certainty about the fact that you can eat, drink, and not being killed by something while your asleep. It means taking step to ensure that you’ll have that tomorrow, and the day after that, and the day after that, until your death.
Security is being addressed in our communities by laws and regulations. Whether they’re explicit or implicit doesn’t really matters. They’re made to ensure that, at the end of the day, all member of the community can stop thinking about the daily threats they’re facing daily. Security implies rules which purpose is to control behaviors that the community perceive as an existential risk, it also implies active measure to protect one self from them which leads to either individual arming themselves to defend themselves, or giving this power to a group of people devoted to maintain security and to control behavior. And this group of people must display that the rules are enforced, because if they’re not, then they’re not devices for peace of mind. To elaborate more on this, there’s whole segment of philosophy dedicated to it (Foucault’s “Surveiller et punir” being one of them, but 1984 by Orwell or Best of Worlds by Huxley do address this).

Safety is, on the other end, everything that exist to reduce harm done. It’s the plan B, it’s what happens when shit finally hit the fan. To stay on the car analogy, safety are safety belts and airbags. They exists only because there’s a risk of accident that have not been nullified by security measures (laws and regulations). And that is why self-driving cars is such a hard problem to solve, because you can’t have a null risk’s probability.
Safety is what allows Security measures to fail without doing much harm to everyone. It’s not really peace of mind systems, because they only exists because you’re exposed to a risk. When you put a helmet on before riding through whatever traffic with your bike, you become aware of the risks you take, and you try to reduce the harm you’ll suffer when someone you’ll eventually be thrown on the ground in the middle of a street because someone didn’t looked before opening their car door. Safety is knowing that if someone enter your house while you’re in it, you’ll have a place and space to recover and people to provides you what you’re missing.
Safety is not about control of behavior, it is about caring for others. Is is not peace of mind but it is acknowledging that you cannot achieve perfect security, and that you need to accept some harm. It is about recovering, learning, growing up.

Why do I talk about this? Because I hear a lot about (cyber)security, and not about (cyber)safety. Security being about perceived risk, and applying behavior control in a way that will be perceived as a reduction of this risk, leads to the current regime of mass-surveillance we live under.
I’ve red a Story about Jessica a while back. And I think it address the fact that we do not have (cyber)safety, that the infosec community have no clue about safety and what it means. The security focused industry means more surveillance (logging) and behavior control (don’t click on links, upgrade, choose a stronger password, don’t publish your key, and many of the do and don’t prevalent in the infosec community).
In computer science, the safety of the software an entity have to manage is, however, quite pregnant. You’ll have backup of the data, backups of the infrastructure, disaster recovery plans, etc. But this is only about the safety of the software. It is not about safety of users or the people who maintain it. If you cannot achieve software security for your company, you’ll probably end up fired at some point. All the on-calls procedures are just means of maintaining a software in a safe state (alive and running, or at least partly running after a crash).
However, users of the software are not protected by those technical safety solution. What will happens when users data will be leaked? What steps are you taking to reduce the arm being done to them? You must be able to answer this question. It could be providing legal counseling, or collaborating with law enforcement (not that I’m a big fan of cops). It could be being proactive and warn them as soon as you find out something bad happened to their data, and try to provide them assistance in recovering access to your software for instance.

Holistic security goes a deep further into control. It is based on the fact that achieving full security requires you to have a specific mindset, and that you must take care of you in order to achieve security. I find it interesting to link way of life to exposure to perceived risks. If you sleep well, you’ll be better at security. Too bad you suffer from depression and insomnia, meaning your last good night sleep was ten days ago, and it was drug induced. Holistic security tends to be, form my point of view, ableist. If you’re not emotionally, physically and socially fit, you can’t hope for security. You cannot get your mind of all the stuff that’s forbidding you to achieve security. It is, in the long run, blaming the victim. You didn’t took care of you, ergo your security has been breached.
I’m not saying that we must get rid of security. It is important to reduce risk exposure. But it has a cost: surveillance and behavior control. I’m saying that we must focus more on safety, on what happens when the cops gt you during a protest with your unlocked phone (or they unlock it using your face). What harm will you be facing when someone is black mailing you over the nudes you got in your Direct Message – or stored on your computer.
This is the question asked in the stroy about Jessica. And I didn’t find a lot of answer since this been published. Facebook tries to help with revenge porn, and there’s a lot of things being done here (go have a look at what BADASSis doing for instance. And this is an issue where technology can’t save you (it is, again, something that provide surveillance and control behavior). Safety means there’s something to take care of people and to help them to recover. It means about caring about people (not software, their just maths, they can’t be in pain), it means trying to make everyone life better (and not easier). For instance, Code of Conducts are security measures. And they’re important because they allow people coming to your community to know that they’re not at risks. Until you do not enforce your own Code of Conduct for instance.
Having a post-harassment process to help the victims, and the harasser (yes, I mean that), to understand what happened, to document it, and to provide support for the victim is safety. That is what safe space should be about. Not space where you won’t be hurt, but space where, when it happens, you’re allowed to take less harm than if you were alone. It is also a space where you’ll be told something you’ve done did hurt someone – not that you broke a rule. It is a space where people will address your behavior and helps you to stop it, not by expelling you, but by a process. It can mean that, for sometime, you cannot come in certain places. It depends on how your community provides safety.

Safety is feeling welcome, feeling belonging to something, knowing that you can make mistakes, own them, and grow out of them. It is not something you can code in your software and, in fact, a lot of the time, your software works against safety.
If your data collection algorithm can be used by cops to identify perpetrators of a crime, it can also allow anti-gay bigots to identify gay people in their surrounding. It can be used by an abusive husband to identify where’s the woman he lived with as fled. It can be used by adults to expose teenagers sexting each others. It can be used to locate where a camgirl lives to stalk her.

And what’s the perceived risks you’re collection of data is protecting users against? You have to wonder if people can conduct drug traffic or do sex wok using your software, and if, by using your data collecting software, they put themselves at risk if you cooperate with cops. Security, in this case, would be to not use your data collecting software. If you value the possibility for law enforcement community to identify sex workers more than you value their safety, it means that you’ve got a political motivation for keeping several years of activity logs.

Keeping data about people is collaborating with cops, harassers and stalkers. It is not about safety of your users, it is about security and control. If you want to do cyberSafety, then it must be impossible for cops to identify anyone with the data you got. It means that you must not be able to identify formally your users. It also means that you must not do ad tracking. It means that the well being of your users is important for you, whatever they do in their life, whoever they are.
Stop logging, start caring.

I’m tired of this shit

[[!meta description="""I’m getting really tired and bored about those crypto nerds who do not understand threat models, general public and who assume they

Shooting the ambulance

It seems that there’s a national sport among crypto nerds, and it’s shooting the ambulance. Yeah, I know, I’ve been kind of naive thinking that some people with common sense could be more vocable than the people who enjoy ranting on stuff, saying that this is shit, and that only them know the truth.

I’m speaking specifically about the own mailbox project and the torrent of flame and more or less accurate accusation it received from @aeris in this three posts. I also like to point out that the answers provided by the Own Mailbox team doesn’t makes them right. There are issues with the project, but I do not think it’s a reason for burning them alive, but instead would have been interesting to help them to improve.

This is something aeris have an issue with – I already pointed that out in the way Crypto Parties are ran around here in Paris.

The point he’s missing in those articles is – as always – what is the threat model own mailbox tries to solve; as well as mixing up a lot of things (blaming a mail server for the insecurity of TLS or for the possibility of MitM attack is … out of scope).

So, let’s try to think about that.

Everything is broken

First, as Quinn Norton once wrote, if you pretend to work in the security and tries to improve the safety of people, you have to acknowledge that: Everything is brooken. It basically states that there’s no way to have a secure system. It does not exists, it will not exists any time soon.

If you look at a project like own mailbox, where you will display decrypted text on an end-point – because if you’re not you’re either using bad crypto or no-one is actually reading the content.

Eventually, you’ll have decoded data – sensitive data – displayed and stored at least in memory of a computer. A computer which is flawed by malware, spyware, adware and other nasty things. Whatever your crypto level is, even if you have a fully patched computer with as few software as you need, you’ll probably have some 0-day active that a motivated attackers can exploit to get access to this memory.

It means that, with a sufficient amount of time and of motivation, someone else than the emitter and recipient of the message would be able to get their hands on your data, for the simple reason that – at some point – you need to read it.

And if you have a bullet-proof mailbox – which is the promises made by own mailbox – well, it’s way much easier to target the end-node and to read the mails at the same time as the user.

After all, Hacking Team was doing basically exactly that. And there’s no reason to believe that they were the only one to do that.

And no, free software will not save you there, with so many attacks on web browser, or PDF, it’s not enough to run free software on your computer. One way to solve this issue is to use an air gap computer, a computer that have never been and never will be connected to a network of a kind. It means you need to burn your mails on a CDRom or a DVDROm and to check them onto the airgap system.

And this is something you cannot do with the general public. Because maintaining such a computer – set asides the financial costs – requires time. Like at least one hour a day. Every day. And to get a good understanding at how the computer works. Which is something a lot of people – because they do not want to or because they cannot to – won’t do.

Also, assuming that the average computer/smartphone/tablet/whatever security is higher than the one of a small brick that cannot be easily improved and extended is a hell of a mistake. Key generation whould only be done on airgap computer with hardware random number generator if you want to have really secure keys – and stored on a read-only devices.

Never forget Jessica

This is the second most important error done I think. We forget about Jessica. Specifically we make two mistakes. The first one, that everyone is willing to spend a lot of time figuring out their safety and to protect themselves and their relatives against a theoretical threat.

Let’s stand back a little bit. We already have hard time to have people using simple means to protect themselves against a real threat like AIDS, syphilis or other STI – use condoms people. Seriously – how would we have them protect themselves against philosophical and political threats?

Especially if we expect them to understand things that could take some months or years to get by? What is the point of full-encrypted mail? What means end-to-end? What’s the NSA/GCHQ/insert-your-own-agency-here doing exactly? And why they’re doing it? They’re trying to protect us, of course. Against terrorism. That’s what they said.

If you want user to actively use crypto, you need them to not think about using it. And if you focus only on the technical issue, you’re missing the point that it’s a political one. Because if your government wants to spy on you, they will sub-contract a hacking team like, and you’ll be screwed.

This is what – I think – aeris is missing. The people who’ll actually get the own-mailbox are people who already understand why they need to protect themselves (yay, there’s actually some of them out there), but who can’t afford to host themselves another way – essentially by a lack of time and of skills.

People who will get these kind of devices are not the hard core activists who tries to avoid cops enter their house to seize computer look-a-like devices. Because, in this situation, hosting your mail in your office is useless at best, dangerous at worst.

So, most of the people who will use this kind of device or services aren’t really people at risk of being sent in jail because they sent an email. They’re probably the one who will use it as a nice gadget, on a side.

This kind of devices have no chance to ever be used in life or death situation. And even if they were, crypto won’t protect you from bullets.

Also, everyone seems to think actual people uses email. They’re not. Less and less. We’re using Facebook messenger, twitter DM, GMail (which is less and less compatible with third-party clients), WhatsApp, SnapChat, SMS, etc …

I’m not saying that it’s a good thing. I’m trying to understand who are the people who’re gonna use this. And it won’t be the social-media addict who only uses a Mac and GMail, it won’t be the Uber Nerd who uses only mutt and altern.org emails, nor will it be company – because they can’t handle the load on those devices.

It won’t neither be the poorest people who do not have access to a correct enough ADSL line. So it will be people who already understand what it means to being watch and wants to add a little bit more security on their devices.

The thing is, we won’t get everyone doing key management the perfect way for – at least – two reasons. The first one being that no one know what is perfect key management. The second one being that even the crypto nerds fails at it on a regular basis.

So this is it.

I really think that own-mailbox commercial team have an issue. Their answer is out of scope. There is some issues to be addressed. The funnier one is pretending that needing JavaScript for a webmail client would be a security issue … it will be if you’re living in a place where there is MitM interception on the line + a way to tamper with TLS. Which is typically the case where you do not want to have a box with all your emails in your houses.

But going after them, saying that the devices is blatantly flawed without even having one at hand in the first place is kind of stupid and counter productive. There’s an issue around the terms used (100% secure is always false), but I believe that – since it’s a free software project – aeris could have, at least, open bugs or ticket. I did not find a repo for own-mailbox though – didn’t look for it hard neither.

But aeris choose to get out for blood. Yes, this porject is far from perfect, but it’s still a plus, and if it gets some people to use more opportunistic crypto, then it’s fine enough for me.

aeris, you really should understand that no, no one can use the tools you’re using as part of their regular routine. And in most case it’s not even a

GMX, Security and Privacy.

[[!meta description="""Yet another story about why you need to hide things from the rest of the world, and why commercial company can’t help you with

Once upon a time

I have this friend – Milou. She’s going to be a good journalist, and she worked a lot for NGOs during her studies. Hence she travelled a lot. As a NGO worker and apprentice journalists, she travelled in … hmmm … interesting places, and a country in particular – let’s call it Zoukinistan.

You’ve probably heard about Zoukinistan, it’s one of these countries the US – and part of EU – are at war with, and where those almighty democracies^Wpowers tried to create a Democracy they own.

So, this woman was going there, doing a job of getting in touch with local activists, reporting human right violations, doing journalisms, stuff like that. And she met there a lot of interesting people.

Not all these people are on the side our governments are comfortable dealing with. Not necessarily warlords or fundamentalists either. They probably just don’t want any more foreign interferences in their country. Yeah, the ones governments probably call terrorists. Or enemies. Or just those who want to expose corruption of their US backed government.

So, as a journalist, she maintains contact with those. No one knows when the next things to expose will blow up. And since she’s quite aware of all the NSA doing nasty things on US hosted servers – essentially trying to graph people in contact with this kind of activists – she goes for a non-US based email provider, and a free one.

And then GMX entered the dance.

Since Milou knows me, and since I worked a bit with her, she uses Tor, OTR, and free softwares. And I think she understands why it’s needed, and why she needs to protect her sources.

So, she created an account on https://gmx.com and used the webmail using Tor, naively thinking GMX – being a German company – would protect her communications.

It appears that GMX is part of United Internet, a German holding which also owns 1&1 and mail.com. And they own 7 datacenters in the EU and the US according to their about page. So they have data on US soil, under the Patriot Act – and you definitely don’t want to have data there if you try to protect sources from US Gov. But nothing says that the former French Caramail they bought and became part of gmx.com is hosted there – in fact, and for strict latency reasons, I think they’ll leave it in EU soil, just to have good performances.

Anyway, let’s put those considerations aside for now.

So, Milou and her friend exchange emails using GMX. I’ll skip the fact https is not enabled by default. Or that they implemented it quite late between servers – after all, Google did it only after NSA had leaked a nice post-it – it’s not really that important since, after all, all emails are probably stored in clear text on a corporation server.

However, Germany, home nation of GMX, is involved in military and security mission in Zoukinistan. We also now that NSA did infiltrate German Internet companies and that the German secrete services do cooperate with NSA.

And then the Milou’s GMX account has been closed for security reasons. Since the IT support doesn’t provide any details and that I could not find anywhere on the net anything related to closing of the accounts if used via Tor – even if they made it hard for anyone to do so – and given the lack of security on their side, I think that it must be read as national security reasons.

My guess is that GMX has been required to terminate this account because it represented a threat to national security.

The interesting part would be to know which nation asked for it. Could be France (Caramail which became GMX.com was French after all), US since they would not like my friend to chat with a terrorist or the German wanting the same thing.

I don’t know. Hard to find evidence when the tech people in the company refuse to provide any. And that’s weird. They could have pretended some unusual traffic came from Milou’s computer – unusual meaning in this case via Tor and Ubuntu – or that they detected some attack and the account had to be terminated, or anything else.

But no, they just "can’t answer", won’t provide any email backup, nor even any support. I don’t like drawing conclusions without facts, but it really seems like someone read those emails and have GMX close this specific account.

Yubikey required at boot

Update (02/11/2012) I added the ‘ask a passphrase’ functionnality in the hook.

Intro

As you might already know, I have a yubikey I use as an authentication token. Without it, I cannot log on my computer as a normal user.

But I wanted to do more than that. Like, blocking the boot if the key is not present, unmounting encrypted drive by removing the key, etc.

In this post, I’ll show you how I’ve tweaked my initrd system to stop booting if I haven’t plugged in the key. I’m using the basic kernel from arch linux, and the mkinitcpio system that is shipped in this distribution.

However, the scripts mught be easy to port to a different one.

Writing hooks

I needed a new hook for that. This hook will be responsible of embedding the necessary binaries and modules, and to run them at boot.

The Arch wiki has a page about writing some custom hooks. It just need two non-executable scripts. The neat thing is that those script will embedd all required dependencies when creating the image.

So, use your editor of choice and create the first file /usr/lib/initcpio/hooks/yubikey and paste this content in it:

\#!/bin/bash  \# Use y2kchalresp to test if the yubikey is present run\_hook() {     local CHAL YCHAL PASS TRIES OK     msg ":: Loading necessary modules for yubikey..."     /sbin/modprobe hid\_generic      sleep 2

First, we need to load the required modules. dmesg tolds me that this is the module hid_generic (quite expectable since the key actually is a usb keyboard). I need to sleep a little bit, to give time to the USB bus to detect the key. In case your system doesn’t detect the key, you might need to increase it.

    TRIES=0     OK="KO"     CHAL="thechallengeresult"     while [ $TRIES -lt 3 ]     do         read -p "Enter your yubikey passphrase: " -s PASS         YCHAL=$(ykchalresp -2 "$PASS")

This is the crypto part of it. CHAL contains the expected result challenge (that is the result of the command runned in YCHAL), the PASS is the challenge submitted to the key and YCHAL is the command sent to the key to have an answer from it.

We also start a loop to grants you the ability to mistype your password. The call to read with the -s flag is used to define a passphrase and to not display what you’re typing.

        if [ "$CHAL" != "$YCHAL" ]         then             err "Challenge Response with yubikey failed"             ((TRIES += 1))         else             msg "Challenge Response with yubikey correct"             OK="OK"             break         fi     if [ "$OK" != "OK ]     then         exit 1     fi }

If everything is ok, CHAL and YCHAL are equals, and you can process to the end of the boot. Else, you increment TRIEs, and you loop. If tries is greater or equal to 3, then you end the loop.

At the end of the loop, if OK doesn’t contain OK, then exit, else continue the normal boot process.

The second needed file require by mkinitcpio, in the /usr/lib/initcpio/install/yubikey script.

#!/bin/bash  build() {     add_module hid_generic     add_binary /usr/bin/ykchalresp     add_runscript }

The build function is called to pack everything in the initrd. We need a module and a binary, so we add them here. And then the add_runscript function tells mkinitcpio that there is a script in hooks/yubikey to be included.

help() { cat <<HELPEOF     This hook tries to lock the computer at boot if no yubikey is inserted HELPEOF }

The help function just display a message when you want to know what this hook is about.

Then, just add the yubikey hook in your HOOKS array, edit /etc/mkinitcpio.conf and add it after the usbinput things.

And rebuild the initrd.

mkinitcpio -p linux

And now, on boot, you will need your yubikey plugged in.

Yubico, PAM, and Challenge/response Authentication

Introducing the yubikey

The yubikey is a small device that act as a token generator for authentication system. Yubico build them and, as they’re seen as a Universal Keyboard, they can be easily interfaced with any kind of system.

From generating OATH token, to One Time Password systems, going by Radius and OpenVPN server authentication, they can be used for a lot of funny things and, among other thing, it’s free software (not free hardware, alas). The token is at $25 and you can order them by huge quantities.

Simply put, it’s a good token for it’s price and, given my threat model (my computer being stolen) it is enough.

So, some disclaimers.

  • I have no interest in the yubico company or any of their software.
  • You can end permanently locked out of your stuff if you lose your key and if it’s the only way you have to login. But, it’s what I’m looking to achieve.
  • I am not a security expert. I haven’t notice any obvious security flaw, that does not mean there is not. However, the yubikey seems to do the job.
  • I use Archlinux, and the AUR. You’ll have to adapt things for your distro, but you’re a grown up now, it should not be a problem.
  • The challenge-response mode described here, is only available on Yubikey 2.2 and later.

What are we going to do

The first thing I wanted, was to lock my computer when the key is away. The simple thing is to launch a xlock on running X servers. It’s far from perfect, but if I can do this, I can do more.

The second thing I wanted was to be able to forbid login to people who lack either the key or my user password, a classic Two-factor authentication. But I wanted to do that offline, and without using the static key configuration of the yubikey.

But first, I need some packages, so let’s do some yaourt.

[okhin@tara.sunnydale]$ yaourt -Sy libyubikey pam_yubico ykclient ykpers

The first and second packages, are needed for pam, the last ones are needed for using your key. It seems that some tweaking may be necessary in the PKGBUILD file of pam_yubico. I have change the –with-pam-dir options of the configure invocation to be /usr/lib/security and I added _CFLAGS=-DHAVE_LIBYKPERS1 to the make invocations.

 Configuring udev

So, first thing to do for xlocking everything when removing the YubiKey is to add some udev rules. On my Arch system, they’re located into /usr/lib/udev/rules.d and it’s recommended to use a low priority one, so let’s edit the 99-yubi.rules file in this dir. I just need to rules:

ATTRS{idVendor}=="1050",ATTRS{idProduct}=="0010",GROUP=yubi,MODE="0660" SUBSYSTEM=="usb",ACTION=="remove",ENV{ID_VENDOR}=="Yubico",RUN+="/usr/local/sbin/xlock-yubi"

The first one is a classic Udev rule, and you’ll need to create a group named yubi and to add users who’ll configure the key in this group.

The second one is a bit tricky. The yubikey is detected by the system as 3 devices (on usb, one input and one hidraw), and, if you do not add the SUBSYSTEM part, you’ll have to go through 3 xlock screens before unlocking your device. It’s not that good.

The other weird part is that, when configuring or dealing with your yubikey, the tools scan for the key, and so remove the input/hidraw part of it in udev before adding them back. The subsystem that get disconnected only when you remove the key of your computer, is the usb SUBSYSTEM.

And, for the script, well, do whatever you want in it. It’s not the topic of this post, maybe later.

So, now, when you’re going to get your key out of a USB slot, it will call the script. At least, once you’ve reloaded the udev daemon:

[root@tara.sunnydale] # udevadm control --reload

There’s also a udevadm monitor command that is quite handy when debugging udev rules.

Set up the key

Ok, now, when you unplug any Yubico branded devices, you’re going to lock your screen. We’re going to move into the fun stuff now.

There’s a command for customizing your yubikey. You have to know that this key can handle two different configuration. I’ll use the second one, keeping the first one for other purposes yet to find.

So, let’s burn a new configuration for activating challenge-response:

[okhin@tara.sunnydale] $ ykpersonalize -2 -ochal-resp -ochal-hmac

It will ask you for a AES passphrase, I used one generated by the yubikey (by pushing the button), but feel free to use what you want. You won’t have to use it again, since the AES key will be stored on the yubikey and that no one will be able to read it anymore.

Next options, is to generate the pam configuration for the challenge, and we need a ~/.yubico dir for that. Protect the files inside this directory, for they contain the challenge.

[okhin@tara.sunnydale] $ mkdir ~/.yubico

And then, run this utility to configure the challenges that will be used by pam.

[okhin@tara.sunnydale] $ ykpamcfg -2 -A add_hmac_chalresp

You’ll have a file named challenge-KEYID in your ~/.yubico directory. It contains the file you need.

If, like me, you have an encrypted /home that is mounted using pam_mount at login, you cannot use this configuration. So, creates a world read-writable directory where you’ll store your challenges.

[root@tara.sunnydale] # mkdir /etc/yubico/challenges -p

And then, move your file in it, keeping a 0600 mask and the ownership correctly set-up (that is, only the user that will use this key should be able to read it). Replace the challenge part of the name by the username:

[okhin@tara.sunnydale] $ mv {~/.yubico/challenge,/etc/yubico/challenges/okhin}_KEYID

And now, we just have to play with pam.

I wanted to force users on my graphical login manager to have a key. And to enter their Unix passphrase (I use it to mount my encrypted /home) at prompt. Both conditions being required to get a login.

So, in my /etc/pam.d/slim file I’ve added this line just above the pam_unix module:

[...] auth    required    pam_yubico.so mode=challenge-response chalresp_path=/etc/yubico/challenges auth    required    pam_unix.so nullok [...]

If you want to consider that having the yubikey is the only necessary thing, then change the required by sufficient. You have to know that no password will be asked for. As soon as the yubikey is plugged into your computer, knowing your login name is enough to get access to a session, and it is a security risk.

Relaunch your session-manager and window-manager, plug your key inside your computer, and login. It will asks for your username and password, as usual. However, if you haven’t got your key plugged into your system, then you’ll be unable to login.

Congratulations, you’re done. Try to keep a way to still log into your system, in case you lose your key.

You can also have different key for one user (just add new challenges file). And you can probably have one key for different user (didn’t test that).

What’s next?

I need to change my xlock script to log me out of the box, when the key is unplugged. I need to figure a way to use the yubikey challenge-response mode with system like luks or GPG.

Also, I’d like to use to remotely connect on VPN or SSH, but I need to look into those HowTos. If some of you wanna give it a shot, you know how to reach me.