Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
rehevkor5 a day ago

For Yubikey, this guide is worth looking at: https://github.com/drduh/yubikey-guide ("Community guide to using YubiKey for GnuPG and SSH - protect secrets with hardware crypto.")

Liskni_si a day ago | parent | next [-]

It's also a bit outdated. OpenSSH supports FIDO2 natively, so all this gnupg stuff is unnecessary for ssh. One can even use yubikey-backed ssh keys for commit signing.

And the best thing is that you can create several different ssh keys this way, each with a different password, if that's something you prefer. Then you need to type the password _and_ touch the yubikey.

kemotep 21 hours ago | parent | next [-]

This is the sk-ed25519 kind of keys correct?

These work flawlessly with the KeepassXC ssh-agent integration. My private keys are password protected, saved securely inside my password vault, and with my ssh config setup, I just type in the hostname and tap my Yubikey.

knorker a day ago | parent | prev [-]

This assumes that the server is running a recent enough OpenSSH. Configured with this enabled. For Linux servers, sure. For routers, less obviously so.

Liskni_si a day ago | parent [-]

Fair point. Ubuntu 18.04 won't support this. :-)

knorker 7 hours ago | parent [-]

Yeah but more importantly neither will those multi million dollar routers your ISP uses. Nor their ten thousand thousand dollar switches.

And they won't be replacing these just because they're missing FIDO. And they can't "just" be upgraded because they aren't necessarily just Linux boxes in a trenchcoat. Nor are they necessarily running any version of OpenSSH.

TacticalCoder a day ago | parent | prev [-]

I'd say this is more up to date:

https://www.stavros.io/posts/u2f-fido2-with-ssh/

We've got private Git repos only accessible through ssh (and the users' shell is set to git-shell) and it's SSH only through Yubikey. The challenge to auth happens inside the Yubikey and the secret never leaves the Yubikey.

This doesn't solve all the worlds' problem (like hunger and war) but at least people are definitely NOT committing to the repo without physically having access to the Yubikey and pushing on it (now ofc a dev's computer may be compromised and he may confirm auth on his Yubikey and push things he didn't meant to but that's a far cry from "we stole your private SSH key after you entered your passphrase a friday evening and are now pushing stuff in your name to 100 repos of yours during the week-end").