t480 security key login auth

hosts/t480/configuration.nix

@@ -17,6 +17,7 @@
     ../../modules/nixos/user-jack.nix
     ../../modules/nixos/sound.nix
     ../../modules/nixos/syncthing.nix
+    ../../modules/nixos/yubikey-pam.nix
   ];
 
   boot.loader.systemd-boot.enable = true;

modules/nixos/yubikey-auth.nix

@@ -6,16 +6,10 @@
     libfido2
   ];
 
-  # sudo authenticates via the forwarded SSH agent.
+  # Only FIDO2-backed SSH keys (ed25519-sk / ecdsa-sk) are accepted.
-  # Requires: ssh -A when connecting, and an ed25519-sk key in your agent.
+  # Every SSH login to every account requires a YubiKey touch.
-  # Generate one locally if you haven't:
+  # Add your sk public key to ~/.ssh/authorized_keys before deploying:
   #   ssh-keygen -t ed25519-sk
-  # Then add the public key to ~/.ssh/authorized_keys on the server.
+  #   ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub jack@dellserv
-  security.pam.sshAgentAuth.enable = true;
+  services.openssh.settings.PubkeyAcceptedAlgorithms = "sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com";
-  security.pam.services.sudo.sshAgentAuth = true;
-
-  # Preserve the forwarded agent socket across the sudo boundary
-  security.sudo.extraConfig = ''
-    Defaults env_keep+=SSH_AUTH_SOCK
-  '';
 }

modules/nixos/yubikey-pam.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    yubikey-manager
+    libfido2
+  ];
+
+  # pam_u2f: requires physical YubiKey touch for sudo and TTY login.
+  # Enroll your key BEFORE rebuilding (run on this machine):
+  #   nix shell nixpkgs#pam_u2f -c pamu2fcfg -u jack | sudo tee /etc/u2f-mappings
+  # Touch the key when the LED blinks.
+  # Additional keys: nix shell nixpkgs#pam_u2f -c pamu2fcfg -n -u jack | sudo tee -a /etc/u2f-mappings
+  security.pam.u2f = {
+    enable = true;
+    control = "required";
+    cue = true;
+    authFile = "/etc/u2f-mappings";
+  };
+
+  security.pam.services.sudo.u2fAuth = true;
+  security.pam.services.login.u2fAuth = true;
+}