Yubikey And NixOS. The Lore

• Arch Wiki, as always amazing: https://wiki.archlinux.org/title/YubiKey#Troubleshooting
• NixOS Wiki for setting up Yubikey: https://nixos.wiki/wiki/Yubikey
• In-Between, troubles with GnuPG and pcscd (extremly short for PersonalComputer/SmartCard daemon): https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html

Where the fuck do I even start?? :D

Alright alright.

Searching google… .-.-..__ Yubikey setup ⏎

…… yubico(dot)com(slash)somethingsomethingblahblah _________ We have an OTP thing in the Cloud thing.

me: neiiiiiiiigggghhhh, not the cloud…. :()

alright <snaps/cracks knuckles>____ : NixOS Yubikey ⏎

I was a bit lost on where to start and need a good push. Went ahead and dived into how I would do it in NixOS and maybe that would help me in oil-ing up and getting in the gear.

First things first

From my quick search and face-bumping-into-wall, hardware token devices and the FIDO2 and U2F protocols seem to be well supported in the Linux ecosystem. Systemd already bundles correct HID (Human Interface Device) udev rules for the Yubikeys and some other FIDO2 compliant devices on the market Also GnuPG and OpenSSH integrate these tiny hardened devices into their workflows.

So, fortunately, there wasn’t much deep tinkering needed to be able to have login and sudo working.

Following the NixOS Wiki entry, gave me a good starting point of configuration and also what to look for when and if I find trouble. Although I currently not use GnuPG that much, only for some signing of git commits, I intend to start using it more. So, reading the warning: “Please note that the PCSC-Lite daemon sometimes conflicts with gpg-agent.” I wanted to investigate the reason behind it, and how to go around/fix the problem.

OTP :One-Time Password: Support

Suggestion is to install yubioath-flutter package.

Key Generation in a Safe Environment

Not going to generate any new keys for now, but if I do, I will try to remember to try this out. Also not too worried for now, I want to get past the first hurdles of getting this thing working. As mentioned here: https://nixos.wiki/wiki/Yubikey#Key_generation here is a nix expression to create a NixOS Live Image with all the necessary packages for Yubikey setup. Oh and, then, we don’t need internet access and can trust that there will be no leaks.

Problems with GnuPG and pcscd (considering it fixed for now)

From what I understood, they both compete in terms of having a service that accesses smartcard(-featured) devices.

GnuPG uses scdaemon and pcscd, well is in itself the daemon. Awesomely, there is a way to tell GnuPG to not enable the scdaemon and instead (I think) use pcscd. All we have to is --disable-ccid in the agent daemon of GnuPG.

Because I am using NixOS, I first had to see where (and if) available options let me configure this. And Badabim badabum…:

programs.gnupg.agent.settings = {
  disable-ccid = true;
  reader-port = "Yubico Yubi";
};

The final configuration of GnuPG is:

programs.gnupg.agent = {
  enable = true;
  enableSSHSupport = true;
  settings = {
    disable-ccid = true;
    reader-port = "Yubico Yubi";
  };
};

Then I also found this entry on Arch Wiki:

“Because gpg(scdaemon) tries to acquire exclusive access to the yubikey. It needs to be configured to use pscs and use shared access.”

By adding disable-ccid and pcsc-shared to GnuPG daemon settings we hopefully get this issue fixed and out of the way.