- Shell 100%
| yk-autologin | ||
| .gitignore | ||
| LICENSE | ||
| PKGBUILD | ||
| README.md | ||
Yubikey Autologin
The problem:
I have a personal laptop which uses full disk encryption (LUKS) which I generally unlock with a FIDO2 token (a yubikey). I share this computer with my spouse who uses their own yubikey (and thus own password) to login to the machine.
It's annoying to unlock the disk encryption only to need to enter another password once the system finishes booting. When only one of us is using the computer regularly, this is not an issue (it is a personal laptop after all). I just set the laptop to autologin as the primary user and everything is fine.
But when we are trading off (if, say, one of our computers is in the shop) we either have to deal with being automatically logged in but as the wrong user or entering two passwords on boot.
The solution:
yk-autologin is a set of scripts which can be configured to adjust the desktop manager's settings on boot whenever a yubikey is inserted. That's it, and it's a bit of a blunt instrument, but it met my needs, so I'm posting it in case anybody else finds it's what they need.
In a bit more detail: There are three main scripts involved:
detect-deviceruns whenever a yubikey is inserted (this is only active before the root filesystem is mounted and has benchrooted into). It reads the config (/etc/yk-autologin/conf) and determines which user that yubikey belongs to ($USER) then saves that information in a file at/yk-autologin-args.chooseruns once before thechrootbut after the root filesystem has been mounted. It reads the config to determine the name of the file to modify ($FILE) and whether it has been configured for appending. It then looks for the following:- If appending, first a file
$FILE.baseand then (if the first is found) a file$FILE.autologin-$USER(or barring that,$FILE.no-autologin). The files the script finds are concatenated together and saved as$FILE. - If not appending, then just a file
$FILE.autologin-$USER(or barring that,$FILE.no-autologin). The script makes a symlink at$FILEpointing to the file it found.
- If appending, first a file
cleanupruns when the computer is shutting down or restarting. It does the same thing aschoosebut does read/yk-autologin-argsand does not search for$FILE.autologin-$USER(it skips to searching for$FILE.no-autologin).
Disclaimer
I make no claim that any of this is particularly secure or stable. The basic goal I had was to make a script that did what I wanted as long as I configured it correctly, with the understanding that I was then responsible for figuring out what went wrong if I didn't. I also very much assumed that security is relatively weak once the disk is decrypted and that stopping one valid user of the computer from masquerading as another was not the goal. If this doesn't match up with your usecase, then you will likely want to do things differently.
Requirements
The script assumes that you are using systemd as your runsystem both after boot and in the initramfs and that you install yubikey-presonalization (the script uses yk-info from that package).
Installing
On Arch-based distros, you can download the PKGBUILD and LICENSE, then make and install the package.
Manual Install
Put the following files in the folder /etc/yk-autologin:
choosecleanupdetect-deviceudev.rules
Install the following in the path for root:
yk-configure-autologin
The following is a mkinitcpio install hook. It can be installed in /etc/initcpio/install if you are using mkinitcpio:
yk-autologin
The following should be installed to /usr/lib/systemd/system:
yk-choose-autologin.service(also add a link to this file in/usr/lib/systemd/system/initrd.target.wants)yk-cleanup-autologin.service(and then enable the unit)
Configuring
Make sure that the yk-cleanup-autologin.service is enabled (should be true by default if you used the PKGBUILD).
If you are using mkinitcpio then the yk-autologin hook should be in the HOOKS list in your config after the systemd hook.
Run yk-configure-autologin file <NAME_OF_CONFIG_FILE> as root to set the file that will be modified by the script (or yk-configure-autologin file +<NAME_OF_CONFIG_FILE> for append mode)
Then for each yubikey you want to configure plug the key in (and no other yubikeys) and run yk-configure-autologin <USER> as root to record the key and corresponding user.
Once it's all configured, rebuild your initramfs.
Known issues
This worked on my system, but it didn't work on my spouse's system. I'm looking into it, but it basically amounts to my script assuming that the root fs is writeable when systemd does the chroot, which is not the case on my spouse's system. I don't remember what I set up differently between the two systems, but I'm going to need to rework some of this code to deal with that specific problem.
Have problems or questions?
Open an issue on my forgejo.
I'm happy to try to help if you've stumbled across this, used it, and run into trouble, but I can't guarantee that I'm not on vacation while you're having trouble booting your computer, so exercise caution and make sure you have at least an idea of what you might do in that case. I can't guarantee that this works perfectly for your system; I simply built it for mine and wanted to share my work.