Update to the Yubikey quick docs

I updated the Yubikey quick docs based on my research for the FedoraMagazine article. Be happy for another pair of eyes :slight_smile:

https://www.pagure.io/fedora-docs/quick-docs/pull-request/564

1 Like

This doesn’t appear to be something you wrote, but it looks problematic to me.

Also, in order to allow sshd to access /root/.yubico/authorized_yubikeys, you should change its context:

[…]$ chcon -R system_u:object_r:ssh_home_t:s0 /root/.yubico

Using chcon like that will cause a one-time change to the permissions, but if the user ever relabels their filesystem, the permissions on that file will be set back to their defaults. Seeing that this appears to be the YubiKey for the root account and that the root account is likely to be required in the sort of recovery scenario where restorecon might have been run on the root filesystem, this looks like a really bad idea.

Maybe something like the following would be better?

[…]# semanage fcontext -a -t ssh_home_t "/root/.yubico"
[…]# restorecon -v /root/.yubico

Good catch! I’ve not yet tested the sshd use-case myself. It appears that in Fedora 37 the .yubico directory is created with selinux context auth_home_t. Don’t know if that allows sshd to access, but I don’t think it has to because we are using PAM anyway and that uses auth_home_t

Good point. In that case, that recommendation should probably be removed.