format fixes, secure root, conclusion
This commit is contained in:
Eric Phillips
@@ -77,7 +77,7 @@ mount /dev/sda1 /mnt/boot
|
||||
install the base system and required packages to boot and get network up
|
||||
|
||||
```
|
||||
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f
|
||||
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f openssh
|
||||
```
|
||||
|
||||
Configure the system and chroot
|
||||
@@ -113,7 +113,7 @@ HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block
|
||||
create a file called `/etc/crypttab.initramfs` (UUID and cryptname need to match luksDump):
|
||||
|
||||
|
||||
`cryptname UUID=UUID none password-echo=no`
|
||||
cryptname UUID=UUID none password-echo=no
|
||||
|
||||
|
||||
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
|
||||
@@ -125,19 +125,19 @@ root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
|
||||
edit /etc/mkinitcpio.d/linux.preset and comment out `PRESET_image` and uncomment `PRESET_uki`. Change the dir part of uki to match the path to the EFI directory ie `/boot/EFI/Linux`. make the Linux dir in the EFI path. Then recreate the image with:
|
||||
|
||||
|
||||
`mkinitcpio -p linux`
|
||||
mkinitcpio -p linux
|
||||
|
||||
|
||||
Set the root password using `passwd` then reboot.
|
||||
|
||||
Upon rebooting we're going to finish setting up the system, see here for more recommendations [General recommendations](https://wiki.archlinux.org/title/General_recommendations). For our uses we need to:
|
||||
|
||||
- add a user, set password, add to sudoers file
|
||||
- enroll yubikey or other fido2 device into the luks partition
|
||||
- intall our window manager and user programs and tools
|
||||
- set the root password to a long random string(test sudo works first)
|
||||
- install our user environment eg dotfiles and associated tooling
|
||||
- setup fido2 login
|
||||
- [Add a user, set password, add to sudoers file](#add-a-user)
|
||||
- [Secure root](#secure-root)
|
||||
- [Enroll yubikey or other fido2 device into the luks partition](#decrypting-with-a-fido2-hardware-token)
|
||||
- [Install our user environment](#install-user-environment)
|
||||
- [Setup window manager](#setup-window-manager)
|
||||
- [Setup fido2 login](#fido2-login)
|
||||
|
||||
## Add a user
|
||||
|
||||
@@ -155,6 +155,21 @@ visudo
|
||||
%wheel ALL=(ALL:ALL) ALL
|
||||
```
|
||||
|
||||
## Secure root
|
||||
|
||||
This step could wait until after [FIDO2 Login](#fido2-login) as it's usually a good idea to be able to get into root when messing with pam.d files. There are several alternatives for securing root:
|
||||
- generate a random string using openssl and basically disable root login
|
||||
|
||||
`openssl rand -base64 32 # generates a 256 bit random key, also useful for secrets in programming`
|
||||
|
||||
- use [pass](https://www.passwordstore.org/) and create and entry, this would allow you to access the password at anytime if needed.
|
||||
|
||||
`pass generate local/hostname-root 30 # this will generate a password and insert it into you password store`
|
||||
|
||||
- sudo to root, run the password command and mash the keyboard
|
||||
|
||||
|
||||
|
||||
## Decrypting with a FIDO2 hardware token
|
||||
|
||||
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy [Unlocking LUKS2](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html) and [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll#FIDO2_tokens). First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
|
||||
@@ -166,4 +181,75 @@ cryptname UUID=UUID none password-echo=no,fido2-device=auto
|
||||
|
||||
Reboot and see if it works.
|
||||
|
||||
## Install user environment and niceties
|
||||
## Install user environment
|
||||
|
||||
First we need to get my dotfiles installed and install our userspace programs. Why dotfiles first? There's a archpkgs.txt file to help get everything we want without having to remember it.
|
||||
|
||||
sudo pacman -Syu git
|
||||
ssh-keygen
|
||||
|
||||
copy the key in the .pub file and add it to my profile where my dotfiles are stored, currently [gitea](https://giteat.ewpt3ch.dev/ewpt3ch/dotfiles), for details see the readme.
|
||||
|
||||
```
|
||||
git clone --bare ssh://gitea@gitea.ewpt3ch.dev:25213/ewpt3ch/dotfiles.git .dotfiles
|
||||
alias dotfiles='/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME'
|
||||
rm .bashrc # this is going to be replace and git checkout will complain
|
||||
dotfiles checkout [branch] # probably workstation
|
||||
```
|
||||
|
||||
sudo pacman -S --needed - < archpkgs.txt
|
||||
/usr/bin/fish
|
||||
|
||||
Install [fisher](https://github.com/jorgebucaran/fisher) for fish plugins and [vim plug](https://github.com/junegunn/vim-plug)
|
||||
|
||||
curl -sL https://raw.githubusercontent.com/jorgebucaran/fisher/main/functions/fisher.fish | source && fisher install jorgebucaran/fisher
|
||||
curl -sL https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim -o plug.vim
|
||||
fisher update
|
||||
|
||||
open neovim and run `:PlugUpdate`
|
||||
|
||||
plug in the yubikey that will be used with this device, probably the one enrolled to unlock the drive, see [gpg on yubikey](https://blog.ewpt3ch.dev/posts/gpg-on-yubikey/), and run: (2 ssb entries should have a > instead of #)
|
||||
|
||||
```
|
||||
gpg --card-edit
|
||||
gpg/card> fetch
|
||||
gpg/card> quit
|
||||
gpg --card-status
|
||||
```
|
||||
|
||||
Log out and log back in again
|
||||
|
||||
## Setup window manager
|
||||
|
||||
sway
|
||||
|
||||
check movement of the mouse cursor with the trackpad on a laptop. I it doesn't feel right and the taps are not working copy `.config/sway/chiron/config .config/sway/hostname/config` reload `alt shift c`See [Swaywm](https://github.com/swaywm/sway/wiki)
|
||||
|
||||
### FIDO2 Login
|
||||
|
||||
Even cooler than unlocking with a FIDO2 token is logging in and using sudo with one. [Universal 2nd Factor](https://wiki.archlinux.org/title/Universal_2nd_Factor#Passwordless_sudo)
|
||||
|
||||
```
|
||||
mkdir ~/.config/Yubico
|
||||
pamu2fcfg -i pam://hostname > ~/.config/Yubico/u2f_keys
|
||||
pamu2fcfg -i pam://hostname >> ~/.config/Yubico/u2f_keys # additional keys
|
||||
```
|
||||
|
||||
Create a 2nd terminal and sudo su just incase we mess something up we still have root so we can fix it. I like to have the password as fallback even though it can be less secure. Setup sudo for FIDO2 in the first terminal:
|
||||
|
||||
/etc/pam.d/sudo
|
||||
------
|
||||
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
|
||||
|
||||
Test sudo and make sure it worked, if the device is not plugged in it should fallback to password.
|
||||
|
||||
If that worked we can setup login. Make sure you have a working password for root or a bootable device, this has the potential to lock us out.
|
||||
|
||||
/etc/pam.d/login # add the following after the pam_nologin line
|
||||
--------
|
||||
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
|
||||
|
||||
|
||||
### Conclusion
|
||||
|
||||
Everything on this laptop seems to work great out of the box so far. The only thing that is bugging me is the WIFI. It seems to start slow and ramp up, not sure if it's the arch mirrors right now with the ongoing DDOS issues or if it's something in the wifi driver.
|
||||
|
||||
Reference in New Issue
Block a user