yubikey

Enhancing KeePassXC with YubiKey on Ubuntu: Enabling the Raw-USB Interface

12 March 2024 in GNU/Linux tagged bash / GNU/Linux / raw-usb / snap / ubuntu / usb / yubikey by Tux

In digital security, combining hardware-based authentication devices like YubiKey with robust password management solutions such as KeePassXC represents a gold standard. YubiKey provides a physical, secure element for two-factor authentication, significantly enhancing security over traditional password-only systems. KeePassXC, a free and open-source password manager, allows users to manage their passwords securely. However, when running KeePassXC as a Snap package on Ubuntu, users may encounter an unexpected hurdle due to Snap’s inherent security and isolation features. This post aims to guide you through enabling your YubiKey hardware to work seamlessly with KeePassXC installed via Snap by manually allowing the raw-usb to interface.

Understanding the Challenge

Snap, a package management and deployment system developed by Canonical, allows for the consistent, secure distribution and installation of applications across different Linux distributions. Snap packages are containerized to ensure isolation from the rest of the system, enhancing security by restricting the application’s access to the host system’s resources and hardware interfaces.

While these isolation features benefit security, they can also impose limitations. Specifically, for KeePassXC users wishing to utilize a YubiKey for added security, Snap’s default restrictions prevent the application from accessing the USB hardware directly. This is where the raw-usb interface comes into play.

The `raw-usb` Interface

The raw-usb interface in Snap allows a snap-packaged application to communicate with USB hardware directly, bypassing the usual restrictions. By enabling this interface for KeePassXC, the application can interact with your YubiKey, utilizing it for secure two-factor authentication.

Step-by-Step Guide to Enabling the `raw-usb` Interface

Open Your Terminal: First, access your terminal. You can do this by pressing Ctrl + Alt + T on your keyboard or searching for “Terminal” in your applications menu.
Execute the Command: In the terminal, type the following command:

 sudo snap connect "keepassxc:raw-usb" "core:raw-usb"

This command instructs your system to enable the raw-usb interface specifically for KeePassXC. Here’s a breakdown of the command:

sudo: This prefix grants administrative (superuser) permissions for the operation, which is necessary for modifying system-wide settings.
snap connect: This is the command to link a Snap package to a specific interface.
"keepassxc:raw-usb": Specifies the KeePassXC snap package and the raw-usb interface within it.
"core:raw-usb": Refers to the raw-usb interface the core Snap provides, which grants access to USB devices.

Enter Your Password: After entering the command, you’ll be prompted to enter your password. This is the password you use to log in to your Ubuntu account. Since you’re executing a command with sudo, your password is required to confirm that you have the necessary permissions to make system-level changes.
Confirmation: If successful, you won’t see a detailed message; the lack of error messages typically indicates that the operation was successful. You’ve now enabled KeePassXC to access USB devices directly.

Testing the Configuration

After enabling the raw-usb interface, launch KeePassXC and attempt to use your YubiKey as part of your two-factor authentication setup. If everything is configured correctly, KeePassXC should recognize your YubiKey without any issues.

Conclusion

The security of your digital life is paramount in an era where online threats are increasingly sophisticated. By integrating YubiKey with KeePassXC on Ubuntu, you significantly enhance your digital security posture. The process of enabling the raw-usb interface for KeePassXC, while a bit technical, is a small step with significant benefits for your security setup. It exemplifies the balance between security and usability, allowing you to leverage cutting-edge security hardware without compromising on the convenience and ease of use offered by modern Linux distributions and applications.

Ubuntu 22.04LTS forces the use of YubiKey on login without activating it.

31 October 2022 in GNU/Linux tagged bash / gdm / gdm-smartcard / GNU/Linux / log in / login / smartcard / ubuntu / update-alternatives / yubikey by Tux

We have a machine that uses a YubiKey to decrypt its hard drive on boot. Following the decryption, we would sometimes leave the YubiKey plugged into the machine. After upgrading from Ubuntu 20.04LTS to Ubuntu 22.04LTS, we noticed that the login screen of Ubuntu would not let us log in with the usual username and password. Still, it forced us to use the smartcard, which was never configured. To perform the login, we had to remove the YubiKey from the machine first. The following post uses a solution from the bug page below to mitigate this issue.

https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027

First, we used the following command to verify the available options:

sudo update-alternatives --config gdm-smartcard;

The results it produced were the following:

$ sudo update-alternatives --config gdm-smartcard
There are 3 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard).

  Selection    Path                                       Priority   Status
------------------------------------------------------------
* 0            /etc/pam.d/gdm-smartcard-sssd-exclusive     50        auto mode
  1            /etc/pam.d/gdm-smartcard-pkcs11-exclusive   30        manual mode
  2            /etc/pam.d/gdm-smartcard-sssd-exclusive     50        manual mode
  3            /etc/pam.d/gdm-smartcard-sssd-or-password   40        manual mode

As recommended by the comments in the bug report, we edited the file /var/lib/dpkg/alternatives/gdm-smartcard to add a new option and from this:

$ cat /var/lib/dpkg/alternatives/gdm-smartcard
auto
/etc/pam.d/gdm-smartcard

/etc/pam.d/gdm-smartcard-pkcs11-exclusive
30
/etc/pam.d/gdm-smartcard-sssd-exclusive
50
/etc/pam.d/gdm-smartcard-sssd-or-password
40
/etc/pam.d/gdm-password
60

We converted it to this:

$ cat /var/lib/dpkg/alternatives/gdm-smartcard
auto
/etc/pam.d/gdm-smartcard

/etc/pam.d/gdm-smartcard-pkcs11-exclusive
30
/etc/pam.d/gdm-smartcard-sssd-exclusive
50
/etc/pam.d/gdm-smartcard-sssd-or-password
40

The new line would give us the option to log in with a username and password, even though the smartcard was still plugged in.

To use the new line, we executed the following command again:

sudo update-alternatives --config gdm-smartcard;

and we selected the new option, number 4.

$ sudo update-alternatives --config gdm-smartcard
There are 4 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard).

  Selection    Path                                       Priority   Status
------------------------------------------------------------
  0            /etc/pam.d/gdm-password                     60        auto mode
  1            /etc/pam.d/gdm-smartcard-pkcs11-exclusive   30        manual mode
  2            /etc/pam.d/gdm-smartcard-sssd-exclusive     50        manual mode
  3            /etc/pam.d/gdm-smartcard-sssd-or-password   40        manual mode
  4            /etc/pam.d/gdm-password                     60        manual mode

Press <enter> to keep the current choice[*], or type selection number: 4
update-alternatives: using /etc/pam.d/gdm-password to provide /etc/pam.d/gdm-smartcard (gdm-smartcard) in manual mode

On reboot, we were able to log in using the username and password combination, even though the YubiKey was still plugged in.

Notes

A) After performing this change, we had to type in both the username and password.

B) In case you type something wrong the in the file /var/lib/dpkg/alternatives/gdm-smartcard , you will get an error when you try to execute the update command. You will get an error for not keeping an empty line at the end of the file as below:

$ sudo nano /var/lib/dpkg/alternatives/gdm-smartcard
$ sudo update-alternatives --config gdm-smartcard
update-alternatives: error: /var/lib/dpkg/alternatives/gdm-smartcard corrupt: unexpected end of file while trying to read master file

Compiling the latest version of YubiKey Personalization Tool on Ubuntu 18.04 LTS

24 June 2019 in GNU/Linux tagged 2FA / personalization tool / ubuntu / ykpersonalize / yubico / yubikey / yubikey-personalization-gui by Tux

Recently, we were got our hands on some YubiKeys, and we decided to use them to create a Two Factor Authentication System (2FA) for the fun of it! We had at our disposal an updated Ubuntu 18.04 LTS so we installed the personalization tools from the official repositories in order to modify the behavior and configure the YubiKeys.

To our disappointment, when we used ykpersonalize and yubikey-personalization-gui we would get an error that the firmware of the YubiKey was unknown…
At the time, the installation packages from the official Ubuntu repositories had version 3.1.24 for the application version and 1.18.0 for the library version.

We noticed that on the YubiKey Personalization Tools page there were newer versions of both the application and the library. Specifically at the time the Application version was 3.1.26 and the Library Version was 1.19.0. Since both were newer than the versions in the repositories we decided to build them and see if they work right with our YubiKeys.

The instructions in the respective installers, were not 100% complete and the installations failed by blindly following them. To actually make the installations work, we installed the following dependencies and tools before compiling:

sudo apt update -y;
sudo apt upgrade -y;
sudo apt install build-essential -y;
sudo apt-get install pkg-config git autoconf libtool asciidoc-base -y;

After installing the above packages the rest of the installation went smoothly.

Installing the command line tools and the library

cd ~; # or any other folder of your choice
sudo apt-get install libykpers-1-dev libyubikey-dev libusb-1.0-0-dev libjson-c-dev -y;
git clone https://github.com/Yubico/yubikey-personalization.git;
cd yubikey-personalization;
autoreconf --install;
./configure;
sudo make check install;

Installing the Qt based Cross-Platform YubiKey Personalization Tool

cd ~; # or any other folder of your choice
sudo apt-get install qt4-qmake libqt4-dev -y;
git clone https://github.com/Yubico/yubikey-personalization-gui.git;
cd yubikey-personalization-gui;
qmake && make;

Bytefreaks.net – a place for hacks

Bytefreaks.net – a place for hacks

yubikey

Enhancing KeePassXC with YubiKey on Ubuntu: Enabling the Raw-USB Interface

Understanding the Challenge

The `raw-usb` Interface

Step-by-Step Guide to Enabling the `raw-usb` Interface

Testing the Configuration

Conclusion

Compiling the latest version of YubiKey Personalization Tool on Ubuntu 18.04 LTS

Installing the command line tools and the library

Installing the Qt based Cross-Platform YubiKey Personalization Tool

Understanding the Challenge

The raw-usb Interface

Step-by-Step Guide to Enabling the raw-usb Interface

Testing the Configuration

Conclusion

Notes

Installing the command line tools and the library

Installing the Qt based Cross-Platform YubiKey Personalization Tool

The `raw-usb` Interface

Step-by-Step Guide to Enabling the `raw-usb` Interface