Require Librem Key for PureOS Login and Sudo


#1

Hello,

Can someone help me configure PureOS to require the Librem Key’s presence during login and sudo commands?

With a Yubikey, I’m able to require its presence for Ubuntu logins using Yubico’s instruction set: https://support.yubico.com/support/solutions/articles/15000011355-ubuntu-linux-login-guide-challenge-response

I’d like to replicate the abvove Yubikey/Ubuntu setup, but with Librem Key/PureOS.

Thanks.


#2

I didn’t try that, yet, but there is documentation around (look for Linux Login with PAM). This should work since the LibremKey is based on the Nitrokey Pro.

Maybe you can write about your use case and success here to keep the rest of us informed…


#3

ChriChri - thanks for the response.

As I’m attempting to follow the Poldi option in the Nitrokey instructions you’ve provided, I get stuck on the step where I dump my Librem Key public key into the Poldi local db by using the following command:

sudo sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/” “SCD READKEY --advanced OPENPGP.3” /bye’

I’ve replaced with my Application ID from the Librem Key (using the “gpg --card-status | grep Application” commands).

My terminal output is as follows:

gpg-connect-agent: no running gpg-agent - starting ‘/usr/bin/gpg-agent’
gpg-connect-agent: failed to create temporary file '/root/.gnupg/.#########: No such file or directory
gpg-connect-agent: can’t connect to the agent: No such file or directory
gpg-connect-agent: error sending standard options: No agent running

I wonder if there is a way to manually create this file in the Poldi local db, so that I can avoid running that above command. Based on the terminal output, is it clear to you what my current problem is?

Thank you.


#4

Did you check whether the directory /root/.gnupg/ exists?

root@system:~# ls -dla /root/.gnupg
drwx------ 3 root root 4096 Okt 13 21:43 /root/.gnupg

#5

Yes, the .gnupg directory does exist. I checked this by running “sudo su” command, then “cd .gnupg”.

Do I first need to move the public key from my Librem Key to my computer’s gpg keyring? I’m not sure how to do this.


#6

You think so :wink:. If you do not want to become root by using sudo -i to try the command I pasted for you, you could also use

user@system:~$ sudo ls -dla /root/.gnupg
drwx------ 3 root root 4096 Okt 13 21:43 /root/.gnupg

By using sudo su you stay in the current directory of the unprivileged user (probably your home directory in your case).

user@system:~$ sudo su
root@PureBlackSoul:/home/user# pwd
/home/user

But the command that fails tries to use .gnupg in the home directory of root as you can see here:

user@system:~$ sudo sh -c 'echo $HOME'
/root

You need to make the .gnupg directory in /root as shown in my ls output above.


#7

Thanks, ChriChri.

I’ve added the .gnupg directory to /root.

Now I’m able to dump my gpg public key from the Librem Key to the Poldi local db.

I’ve added the line “auth required pam_poldi.so” to the /etc/pam.d/sudo and /etc/pam.d/gdm-password files directly above the line containing “@include common-auth”.

The setup now works for me.

I now require my Librem Key to be inserted while performing sudo command and logging into PureOS. I first have to unlock the Librem Key with my PIN. Then I’m prompted with the PureOS login/sudo password.

Thanks for your help.