a65cf1a5061eb2b3b270013a28778315aec2b692
Tech/Passkeys.md
| ... | ... | @@ -0,0 +1,58 @@ |
| 1 | +<!-- |
|
| 2 | +vim: filetype=markdown |
|
| 3 | +--> |
|
| 4 | + |
|
| 5 | +# passless |
|
| 6 | + |
|
| 7 | +Has `pass` and TPM2 backends. |
|
| 8 | + |
|
| 9 | +## Installation |
|
| 10 | + |
|
| 11 | +```bash |
|
| 12 | +yay -S passless-bin |
|
| 13 | + |
|
| 14 | +sudo groupmod -a -G tss,fido $USER |
|
| 15 | + |
|
| 16 | +``` |
|
| 17 | + |
|
| 18 | +## Usage |
|
| 19 | + |
|
| 20 | +``` |
|
| 21 | +passless |
|
| 22 | +``` |
|
| 23 | + |
|
| 24 | +Prints instructions for further configuration (udev, etc). |
|
| 25 | + |
|
| 26 | +## SystemD service |
|
| 27 | + |
|
| 28 | +- https://github.com/pando85/passless/blob/master/contrib/systemd/passless.service |
|
| 29 | + |
|
| 30 | +``` |
|
| 31 | +cat <<EOF > ~/.config/systemd/user/passless.service |
|
| 32 | +[Unit] |
|
| 33 | +Description=Passless FIDO2 Software Authenticator |
|
| 34 | +Documentation=https://github.com/pando85/passless |
|
| 35 | +After=network-online.target |
|
| 36 | +Wants=network-online.target |
|
| 37 | + |
|
| 38 | +[Service] |
|
| 39 | +Type=simple |
|
| 40 | +ExecStart=passless |
|
| 41 | +Restart=on-failure |
|
| 42 | +RestartSec=5s |
|
| 43 | + |
|
| 44 | +# Security hardening |
|
| 45 | +# The application already handles its own memory locking and core dump prevention |
|
| 46 | +# but we can add additional systemd protections |
|
| 47 | +NoNewPrivileges=true |
|
| 48 | +LimitMEMLOCK=2M |
|
| 49 | + |
|
| 50 | +# Logging |
|
| 51 | +StandardOutput=journal |
|
| 52 | +StandardError=journal |
|
| 53 | +SyslogIdentifier=passless |
|
| 54 | + |
|
| 55 | +[Install] |
|
| 56 | +WantedBy=default.target |
|
| 57 | +<<EOF |
|
| 58 | +``` |