From 4e3e23f1b6b0d46586f5d2b75758e0ace322f7c1 Mon Sep 17 00:00:00 2001
From: Jack Mechem <mechemjack@gmail.com>
Date: Thu, 30 Apr 2026 17:34:33 -0700
Subject: [PATCH] t480 security key login auth

---
 hosts/t480/configuration.nix   |  1 +
 modules/nixos/yubikey-auth.nix | 16 +++++-----------
 modules/nixos/yubikey-pam.nix  | 23 +++++++++++++++++++++++
 3 files changed, 29 insertions(+), 11 deletions(-)
 create mode 100644 modules/nixos/yubikey-pam.nix

diff --git a/hosts/t480/configuration.nix b/hosts/t480/configuration.nix
index ebd8ad6..fa046df 100644
--- a/hosts/t480/configuration.nix
+++ b/hosts/t480/configuration.nix
@@ -17,6 +17,7 @@
     ../../modules/nixos/user-jack.nix
     ../../modules/nixos/sound.nix
     ../../modules/nixos/syncthing.nix
+    ../../modules/nixos/yubikey-pam.nix
   ];
 
   boot.loader.systemd-boot.enable = true;
diff --git a/modules/nixos/yubikey-auth.nix b/modules/nixos/yubikey-auth.nix
index f699a3c..e104c76 100644
--- a/modules/nixos/yubikey-auth.nix
+++ b/modules/nixos/yubikey-auth.nix
@@ -6,16 +6,10 @@
     libfido2
   ];
 
-  # sudo authenticates via the forwarded SSH agent.
-  # Requires: ssh -A when connecting, and an ed25519-sk key in your agent.
-  # Generate one locally if you haven't:
+  # Only FIDO2-backed SSH keys (ed25519-sk / ecdsa-sk) are accepted.
+  # Every SSH login to every account requires a YubiKey touch.
+  # Add your sk public key to ~/.ssh/authorized_keys before deploying:
   #   ssh-keygen -t ed25519-sk
-  # Then add the public key to ~/.ssh/authorized_keys on the server.
-  security.pam.sshAgentAuth.enable = true;
-  security.pam.services.sudo.sshAgentAuth = true;
-
-  # Preserve the forwarded agent socket across the sudo boundary
-  security.sudo.extraConfig = ''
-    Defaults env_keep+=SSH_AUTH_SOCK
-  '';
+  #   ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub jack@dellserv
+  services.openssh.settings.PubkeyAcceptedAlgorithms = "sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com";
 }
diff --git a/modules/nixos/yubikey-pam.nix b/modules/nixos/yubikey-pam.nix
new file mode 100644
index 0000000..6412e51
--- /dev/null
+++ b/modules/nixos/yubikey-pam.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    yubikey-manager
+    libfido2
+  ];
+
+  # pam_u2f: requires physical YubiKey touch for sudo and TTY login.
+  # Enroll your key BEFORE rebuilding (run on this machine):
+  #   nix shell nixpkgs#pam_u2f -c pamu2fcfg -u jack | sudo tee /etc/u2f-mappings
+  # Touch the key when the LED blinks.
+  # Additional keys: nix shell nixpkgs#pam_u2f -c pamu2fcfg -n -u jack | sudo tee -a /etc/u2f-mappings
+  security.pam.u2f = {
+    enable = true;
+    control = "required";
+    cue = true;
+    authFile = "/etc/u2f-mappings";
+  };
+
+  security.pam.services.sudo.u2fAuth = true;
+  security.pam.services.login.u2fAuth = true;
+}