From 0a8d3c33228a5473d0032ee48de8b0ea3f3a0a89 Mon Sep 17 00:00:00 2001 From: Zhephod Date: Mon, 14 Jul 2025 01:10:12 -0700 Subject: [PATCH 1/4] add fido2-setup script --- bin/omarchy-fido2-setup | 3 +++ 1 file changed, 3 insertions(+) create mode 100755 bin/omarchy-fido2-setup diff --git a/bin/omarchy-fido2-setup b/bin/omarchy-fido2-setup new file mode 100755 index 0000000..e1b9fd2 --- /dev/null +++ b/bin/omarchy-fido2-setup @@ -0,0 +1,3 @@ +#!/bin/bash + +yay -S --noconfirm --needed libfido2 From f1761319e98e1391d7e688164e0e5bec9b2f0487 Mon Sep 17 00:00:00 2001 From: Zhephod Date: Tue, 15 Jul 2025 02:34:18 -0700 Subject: [PATCH 2/4] got testing for device working --- bin/omarchy-fido2-setup | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bin/omarchy-fido2-setup b/bin/omarchy-fido2-setup index e1b9fd2..b379a8b 100755 --- a/bin/omarchy-fido2-setup +++ b/bin/omarchy-fido2-setup @@ -1,3 +1,8 @@ #!/bin/bash -yay -S --noconfirm --needed libfido2 +yay -S --noconfirm --needed libfido2 pam-u2f + +tokens=$(fido2-token -L) +if [ -z "$tokens" ]; then + echo -e "\e[31m\nNo fido2 device detected.\e[0m" +fi From dcd63233aff73ffab6aab95d0f7b0a783ee04baa Mon Sep 17 00:00:00 2001 From: Zhephod Date: Tue, 15 Jul 2025 03:30:28 -0700 Subject: [PATCH 3/4] added sudo support --- bin/omarchy-fido2-setup | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/bin/omarchy-fido2-setup b/bin/omarchy-fido2-setup index b379a8b..c6e8dfe 100755 --- a/bin/omarchy-fido2-setup +++ b/bin/omarchy-fido2-setup @@ -4,5 +4,19 @@ yay -S --noconfirm --needed libfido2 pam-u2f tokens=$(fido2-token -L) if [ -z "$tokens" ]; then - echo -e "\e[31m\nNo fido2 device detected.\e[0m" + echo -e "\e[31m\nNo fido2 device detected. Plug it in, you may have to unlock it as well\e[0m" +else + + # Create the pamu2fcfg file + if [ ! -f /etc/fido2/fido2 ]; then + sudo mkdir -p /etc/fido2 + echo -e "\e[32m\nLet's setup your device, confirm on the device now\n\e[0m" + pamu2fcfg >/tmp/fido2 # This needs to run as the user + sudo mv /tmp/fido2 /etc/fido2/fido2 + fi + + # Add fido2 auth as an option for sudo + if ! grep -q pam_u2f.so /etc/pam.d/sudo; then + sudo sed -i '1i auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/sudo + fi fi From 86bf311866d3b623602b3e54b7d4c8ba81bb50c0 Mon Sep 17 00:00:00 2001 From: Zhephod Date: Thu, 17 Jul 2025 02:05:41 -0700 Subject: [PATCH 4/4] add option to opt out of sudo --- bin/omarchy-fido2-setup | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bin/omarchy-fido2-setup b/bin/omarchy-fido2-setup index c6e8dfe..e873392 100755 --- a/bin/omarchy-fido2-setup +++ b/bin/omarchy-fido2-setup @@ -2,6 +2,18 @@ yay -S --noconfirm --needed libfido2 pam-u2f +# Check if the user doesn't want sudo +while [[ $# -gt 0 ]]; do + case $1 in + --no-sudo) exit 0 ;; + *) + echo "Unknown option: $1 \n --no-sudo is the only option" + exit 1 + ;; + esac + shift +done + tokens=$(fido2-token -L) if [ -z "$tokens" ]; then echo -e "\e[31m\nNo fido2 device detected. Plug it in, you may have to unlock it as well\e[0m"