This patch enables Yubikey authentication for ghaf gui-vm. We are doing Yubikey passthrough from ghaf-host to gui-vm. Currently Yubikey Authentication supported with screen locker (gtklock) and sudo command in pam sufficient mode means either password or tap on device is enough for authentication.
Checklist for things done
[x] Summary of the proposed changes in the PR description
[x] More detailed description in the commit message(s)
[x] Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
[ ] PR linked to architecture documentation and requirement(s) (ticket id)
[x] Test procedure described (or includes tests). Select one or more:
[x] Tested on Lenovo X1 x86_64
[ ] Tested on Jetson Orin NX or AGX aarch64
[ ] Tested on Polarfire riscv64
[ ] Author has run nix flake check --accept-flake-config and it passes
[x] All automatic Github Action checks pass - see actions
[x] Author has added reviewers and removed PR draft status
Testing
Prerequisite:
1) Yubikey hardware, more details here
2) Generate Yubikey public key using following command
pamu2fcfg -u ghaf -o pam://gui-vm
3) Make sure you have Yubikey public key added here (example)
Now plug the Yubikey hardware to Ghaf system.
To verify Yubikey device is detected in gui-vm
[ghaf@gui-vm:~]$ lsusb | grep YubiKey
Bus 003 Device 003: ID 1050:0407 Yubico YubiKey OTP+FIDO+CCID
To verify sudo command is working
[ghaf@gui-vm:~]$ sudo su
Please touch the device.
[root@gui-vm:/home/ghaf]#
To verify screen lock is working
1) Press Windows + l to lock the screen
2) Press Enter and tap on Yubikey device to unlock the system.
Description of changes
This patch enables Yubikey authentication for ghaf gui-vm. We are doing Yubikey passthrough from ghaf-host to gui-vm. Currently Yubikey Authentication supported with screen locker (gtklock) and sudo command in pam sufficient mode means either password or tap on device is enough for authentication.
Checklist for things done
x86_64
aarch64
riscv64
nix flake check --accept-flake-config
and it passesTesting
Prerequisite: 1) Yubikey hardware, more details here 2) Generate Yubikey public key using following command
pamu2fcfg -u ghaf -o pam://gui-vm
3) Make sure you have Yubikey public key added here (example)Now plug the Yubikey hardware to Ghaf system.
To verify Yubikey device is detected in
gui-vm
[ghaf@gui-vm:~]$ lsusb | grep YubiKey Bus 003 Device 003: ID 1050:0407 Yubico YubiKey OTP+FIDO+CCIDTo verify
sudo
command is working [ghaf@gui-vm:~]$ sudo su Please touch the device.[root@gui-vm:/home/ghaf]#
To verify
screen lock
is working 1) PressWindows + l
to lock the screen 2) Press Enter and tap on Yubikey device to unlock the system.