fixes for yubikey

bootstrap.sh

@@ -4,7 +4,7 @@ DOTS_BRANCH="main"
 STOW_DIR=".local/share/stow"
 DOTS_PACKAGE="dots"
 
-USER_GROUPS="wheel" # Comma separated list
+USER_GROUPS="wheel,plugdev" # Comma separated list
 SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
 
 BOLD="$(tput bold)"
@@ -192,9 +192,9 @@ install_dotfiles() {
 enable_services() {
 	tput sc
 	info "Installing user service service..."
-	target="/etc/sv/runsvdir-${username}/run"
+	target="/etc/sv/runsvdir-${username}"
 	mkdir -p "$(dirname "$target")"
-	sed "s/<U>/$username/" "${SCRIPT_DIR}/userservice.sh" >"$target"
+	sed "s/<U>/$username/" "${SCRIPT_DIR}/userservice.sh" >"$target/run"
 	[ ! -L "/var/service/$(basename "$target")" ] &&
 		ln -s "$target" "/var/service/"
 	chmod 755 "$target"

files/etc/udev/rules.d/69-yubikey.rules

@@ -0,0 +1,10 @@
+ACTION!="add|change", GOTO="yubico_end"
+
+# Udev rules for letting the console user access the Yubikey USB
+# device node, needed for challenge/response to work correctly.
+
+# Yubico Yubikey II
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0404|0405|0407|0410",
+    ENV{ID_SECURITY_TOKEN}="1"
+
+LABEL="yubico_end"

files/etc/udev/rules.d/70-u2f.rules

@@ -0,0 +1,89 @@
+# Copyright (C) 2013-2015 Yubico AB
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+# this udev file should be used with udev 188 and newer
+ACTION!="add|change", GOTO="u2f_end"
+
+# Yubico YubiKey
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0121|0200|0402|0403|0404|0406|0407|0410", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Happlink (formerly Plug-Up) Security KEY
+ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Neowave Keydo and Keydo AES
+ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# HyperSecu HyperFIDO
+ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Feitian ePass FIDO, BioPass FIDO2
+ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d|0866|0867", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# JaCarta U2F
+ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101|0501", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# U2F Zero
+ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# VASCO SecureClick
+ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Bluink Key
+ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Thetis Key
+ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Nitrokey FIDO U2F, Nitrokey FIDO2, Safetech SafeKey
+ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287|42b1|42b3", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Google Titan U2F
+ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Tomu board + chopstx U2F + SoloKeys
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# SoloKeys
+ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Trezor
+ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Infineon FIDO
+ATTRS{idVendor}=="058b", ATTRS{idProduct}=="022d", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Ledger Blue, Nano S and Nano X
+ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0001|0004|0005|0015|1005|1015|4005|4015", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Kensington VeriMark
+ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# Longmai mFIDO
+ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# eWBM FIDO2 - Goldengate 310, 320, 500, 450
+ATTRS{idVendor}=="311f", ATTRS{idProduct}=="4a1a|4c2a|5c2f|f47c", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# OnlyKey (FIDO2 / U2F)
+ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# GoTrust Idem Key
+ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="f143", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+# ellipticSecure MIRKey
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ac", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+
+LABEL="u2f_end"

files/etc/udev/rules.d/70-yubikey.rules

@@ -0,0 +1,8 @@
+
+# Udev rules for letting the console user access the Yubikey USB
+# device node, needed for challenge/response to work correctly.
+
+ACTION=="add|change", SUBSYSTEM=="usb",
+  ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0404|0405|0407|0410", \
+  TEST=="/var/run/ConsoleKit/database", \
+  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

packages.txt

@@ -63,3 +63,6 @@ syncthing
 blueman
 bluez
 libspa-bluetooth
+gnome-keyring
+gnupg2-scdaemon
+yubikey-manager

services.txt

@@ -4,3 +4,4 @@ NetworkManager
 elogind
 crond
 bluetoothd
+pcscd