From adef91bb99e5a56c3b0e7ec382ad0405f4f932a1 Mon Sep 17 00:00:00 2001
From: Toby Vincent <tobyv@tobyvin.dev>
Date: Sun, 23 Jul 2023 10:22:13 -0500
Subject: feat: add pam docs

---
 src/SUMMARY.md               |   7 ++-
 src/install/pam.md           | 106 +++++++++++++++++++++++++++++++++++++++++++
 src/install/tools/yubikey.md |  26 -----------
 3 files changed, 111 insertions(+), 28 deletions(-)
 create mode 100644 src/install/pam.md
 delete mode 100644 src/install/tools/yubikey.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index a73ce19..1c0bc7f 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -6,12 +6,15 @@
 
 - [Setup](./install/setup.md)
 - [Pacman](./install/pacman.md)
+- [Pam](./install/pam.md)
 - [Rust](./install/rust.md)
 - [Tools](./install/tools.md)
   - [Editor](./install/editor.md)
   - [Mail](./install/mail.md)
   - [Password Store](./install/tools/password-store.md)
-  - [Yubikey](./install/tools/yubikey.md)
-  <!-- TODO: DE/WM (Wayland/Sway) -->
 - [DE/WM]()
+  - [Application Launcher]()
+  - [Desktop notifications]()
+  - [Theming]()
+    - [GTK]()
 - [Misc](./install/misc.md)
diff --git a/src/install/pam.md b/src/install/pam.md
new file mode 100644
index 0000000..bd6cf6c
--- /dev/null
+++ b/src/install/pam.md
@@ -0,0 +1,106 @@
+# Pam
+
+## Yubikey
+
+Arch Wiki:
+[YubiKey#Linux user authentication with PAM](https://wiki.archlinux.org/title/YubiKey#Linux_user_authentication_with_PAM)
+
+[pam-u2f](https://developers.yubico.com/pam-u2f/) allows the use of Yubikey (or
+any FIDO2 capabible device?) for pam authentication.
+
+- Install pam module and optionally libfido2
+
+  ```console
+  pacman -S pam-u2f libfido2
+  ```
+
+- Add credentials for key to pam-u2f (security key must be inserted)
+
+  See:
+  [Universal 2nd Factor - Authentication for Arch Linux](https://wiki.archlinux.org/title/Universal_2nd_Factor#Authentication_for_Arch_Linux)
+
+  ```console
+  pamu2fcfg -o pam://$HOSTNAME -i pam://$HOSTNAME >> ~/.config/Yubico/u2f_keys
+  ```
+
+- Enable the pam modules by adding them to the pam configs.
+
+  Setup local login that requires pin and touch (cue) by adding the following to
+  top of `/etc/pam.d/system-local-login`:
+
+  ```config,hidelines=!
+  !#%PAM-1.0
+  auth      sufficient pam_u2f.so cue pinverification=1
+  auth      required   pam_unix.so try_first_pass nullok
+  !auth      include    system-login
+  !account   include    system-login
+  !password  include    system-login
+  !session   include    system-login
+  !auth      optional   pam_gnupg.so store-only
+  !session   optional   pam_gnupg.so
+  ```
+
+  Setup sudo auth only requiring touch by appending the following to the end of
+  `/etc/pam.d/sudo`:
+
+  ```config,hidelines=!
+  !#%PAM-1.0
+  auth      sufficient  pam_u2f.so cue
+  auth      sufficient  pam_unix.so nullok
+  !auth      required    system-auth
+  !account   include     system-auth
+  !session   include     system-auth
+  ```
+
+- (Optional) Install ykman for managing the Yubikeys.
+
+  ```console
+  pacman -S yubikey-manager
+  ```
+
+- (Optional) Install touch indicator to get a notification when touch is
+  required.
+
+  ```console
+  pacman -S yubikey-touch-detector
+  ```
+
+## GnuPG
+
+[pam-gnupg](https://github.com/cruegge/pam-gnupg) provides a pam module that
+passes the login password to gnupg to unlock specified subkeys. As this requires
+using the gnupg pin as login, it requires using something like `pam-u2f` shown
+above.
+
+- First, ensure the module is installed.
+
+  ```console
+  pacman -S pam-gnupg
+  ```
+
+- Next, write the keygrips for all subkeys you wish to unlock into
+  `$XDG_CONFIG_HOME/pam-gnupg`. You can get the keygrips by running the
+  following command.
+
+  ```console
+  gpg -K --with-keygrip
+  ```
+
+- Finally, append the following lines to the end of
+  `/etc/pam.d/system-local-login`:
+
+  ```config,hidelines=!
+  !#%PAM-1.0
+  !auth      sufficient pam_u2f.so cue pinverification=1
+  !auth      required   pam_unix.so try_first_pass nullok
+  !auth      include    system-login
+  !account   include    system-login
+  !password  include    system-login
+  !session   include    system-login
+  auth      optional   pam_gnupg.so store-only
+  session   optional   pam_gnupg.so
+  ```
+
+_Note_: This assumes `gpg-agent.conf` is setup from my dotfiles. See the
+`pam-gnupg`'s [README.md](https://github.com/cruegge/pam-gnupg#readme) for the
+full setup.
diff --git a/src/install/tools/yubikey.md b/src/install/tools/yubikey.md
deleted file mode 100644
index 9277171..0000000
--- a/src/install/tools/yubikey.md
+++ /dev/null
@@ -1,26 +0,0 @@
-# Yubikey
-
-Install pam module and optionally libfido2
-
-```console
-pacman -S pam-u2f libfido2
-```
-
-Add credentials for key to pam-u2f (security key must be inserted) See:
-[Universal 2nd Factor - Authentication for Arch Linux](https://wiki.archlinux.org/title/Universal_2nd_Factor#Authentication_for_Arch_Linux)
-
-```console
-pamu2fcfg -o pam://$HOSTNAME -i pam://$HOSTNAME >> ~/.config/Yubico/u2f_keys
-```
-
-Install ykman
-
-```console
-pacman -S yubikey-manager
-```
-
-Touch indicator
-
-```console
-pacman -S yubikey-touch-detector
-```
-- 
cgit v1.2.3-70-g09d2