[bascule]

As a Yubikey fanboi since 2013, who was very excited about the prospect of using it for airgapping GPG and SSH keys circa 2014, 2018 me says: "you almost certainly don't want to do this"

Let's start with SSH. It's just plain unstable. If you try to set this up, you WILL have constant stability problems. I can assure you I have both personally experienced them and asked several other people who have attempted it to confirm that they too have various timeouts or other errors.

One alternative is PIV. PIV is even more of a pain in the ass to get set up, and has similar stability problems.

If I have a prescriptive recommendation for SSH, set up Duo for 2FA and use Yubikey-AES in "long press" mode (putting the key in slot 2). This gives you a strong hardware-backed authentication factor and protection against "Yubispam" (i.e. accidental credential leakage, a problem more severe than most would consider it)

As for GPG, well... GPG is a tire fire. I also went through the Yubikey GPG PIN bypass (not their fault, but since Yubikeys cannot be field patched, this involved physically rotating every key, which Yubico replaced for free, but still). GPG suffers similar random faults, and gpg-agent can die in a fire, but at least unlike SSH you're probably not using it as frequently. Still, getting things set up is ridiculously arcane, thanks to gpg being a byzantine tool and the crazy mutable state nature of ~/.gnupg

If you end up attempting to replicate this sort of setup, I can bet you dollars to donuts you will wind up asking yourself "Why did I think this would be a good idea?" after a few months

[roblabla]

> Let's start with SSH. It's just plain unstable. If you try to set this up, you WILL have constant stability problems. I can assure you I have both personally experienced them and asked several other people who have attempted it to confirm that they too have various timeouts or other errors.

This has not been my personal experience at all. I've used this setup (Yubikey as SSH key) for 4 years now, and by "using it" I mean being connected on SSH 24/7, connecting every day, sometimes multiple times, from and to multiple machines. I have a USB drive on which I store a gpg binary for MacOS and Windows, allowing me to easily SSH from any machine.

GPG is a tire fire, I will give you that. But for the small subset of GPG that we need for yubikey+ssh, it can be made to work OK. You just need the latest version of GPG (2.1), have pcsc-lite and scdaemon installed and running, and put "enable-ssh-support" and "use-standard-socket" in your ~/.gnupg/gpg-agent.conf. This is not hard, and can be done in a 100% portable and sudoless fashion.

As for SSH, I'm not sure why you think it's a tire fire ? SSH works really well for its use-case. It might have problem if your internet connection sucks (like on mobile connections), in which case you can and should use mosh, which still works with this exact Yubikey setup (mosh initiates the connection and authenticates over SSH, and then establishes a UDP connection for the rest of the session).

[jlgaddis]

I've been using this every day for about 2.5 years on each of the three machines that I use daily (each with its own Yubikey).

I sign anywhere from zero to 20 commits a day (providing my -- very long -- PIN each time) and open probably 200+ SSH sessions every day.

Once I've configured it on a new machine (e.g., I recently moved from Arch Linux to Fedora on these three machines), I have zero problems with it. There is no "unstable" issue for me at all.

Judging from my experiences as well as those of my siblings here, I have to wonder if perhaps "you're holding it wrong".

ETA: You will almost certainly run into trouble if you use Gnome (or, more specifically, gnome-keyring). I use XFCE everywhere, though.

[jopsen]

> providing my -- very long -- PIN each time

Have you considered unlocking it once, leaving it unlocked and just require a touch for each operation :)

> ETA: You will almost certainly run into trouble if you use Gnome (or, more specifically, gnome-keyring)

Yes, google: "gnome keyring disable ssh agent" and you'll find: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_k...

[Shoothe]

That's my experience too (using gpg for ssh). While I remember that gpg agent can die once in a while it's very rare and the benefit of having keys in a separate device and using them on any machine instantaneously is certainly worth it. Not to mention U2F and built in TOTP. I can easily login in on a friend's machine without sharing any private/secret keys.

[bascule]

I suppose one notable delta between our environments: OS X (me) versus Linux (you, ostensibly)

[igneo676]

I definitely noticed the same thing on my MacOS computers vs my linux. What _seemed_ to be the solution for me was that ssh-agent gets auto started by Mac. My crazy workaround was editting that service with root permissions and have it launch gpg-agent instead

There's probably a better solution, but, that's what worked for me

[jlgaddis]

FWIW, I have a MacBook Pro here that I've used it on as well. That was the primary machine I used all day every day until I built this workstation about a year ago. Nowadays I don't use the MBP very often at all, but I did just go check and, yep, it still works on there too.

[bascule]

"Works" in a one-off trial or with daily use? What I'm talking about is an unacceptable failure rate in the course of daily usage (by which I mean failures at least once or twice a day, sometimes considerably worse, over the course of establishing several dozen SSH connections daily)

If your OS X daily driver setup is truly stable, can you share all of the details? What OS X version? Yubikey model? GPG version? OpenSSH version?

I know at least a dozen people who have shared my experience so if there is a magic path to stabilizing it, I'm all ears.

[jlgaddis]

> "Works" in a one-off trial or with daily use?

It worked with daily usage from the time I set it up (shortly after buying that particular MacBook Pro, in October 2016) until the time I quit using that machine all-day every day (c. December 2017). In addition, it worked on the previous MacBook Pro I had as well.

It still worked when I spent five minutes on it earlier today. Obviously, that's not any extensive testing but I have no reason to believe it has somehow broken itself in the time it's been sitting on a shelf, turned off.

I'll grant you that it's certainly not the easiest thing to get up and running... but I also know that it can be done and that it can work quite well. TBQH, if it had been that much of a pain in the ass, I wouldn't have bothered.

FWIW, this is a mid-/late-2016 MacBook Pro, running 10.12.something (never updated it to High Sierra), with a Yubikey Neo. GPG came from homebrew, IIRC, and SSH as shipped with the OS. I'm on mobile at the moment but I'll try to remember to go back and check all the version numbers and such later, if you're truly interested in them.

It sucks that you experienced so many issues with this but I think there's enough anecdotal evidence here to show that this can all be made to work -- and work reliably.

[kerneis]

You may want to try resetting the SMC: https://support.apple.com/en-us/HT201295

My keys repeatedly failed to register touches until I did that, now it works flawlessly.

[ryukafalz]

Anecdotally, I can confirm that this is probably the deciding factor. I use a Yubikey daily on both macOS and Linux - Linux smartcard support is rock solid, but it's really spotty on macOS.

[xur17]

I have noticed the same thing - on OSX I have to kill gpg-agent once or twice a week, and smartcard operations take noticeably longer.

[na85]

Could you kindly share your config/setup?

[jlgaddis]

Sure. Let me go back through my notes from the installation and I'll add the relevant parts here. Note that my Yubikeys were already all set up, though (i.e., the GPG keys -- and "derived" SSH key -- were already present on them).

---

ETA: I've posted my "first attempt" at remembering/including everything in a gist [0]. It's very likely that I've forgotten something, though. Apologies for the formatting and such, I was hurrying.

[0]: https://gist.github.com/jlgaddis/c52d6dea9aab4fa7e184d78c354...

[mike-cardwell]

I've been using a yubikey for at least 3 years on a practically daily basis for signing and decrypting email (all of my emails are encrypted) and for logging into my various servers via SSH on various Linux laptops and desktops, an Android phone (via NFC) and very recently a Macbook running OSX. My experience is nothing like yours. I have never had anything resembling a stability problem.

[bascule]

Same question to you which I asked in the comment linked below... if your OS X setup is truly, actually stable for a daily driver and not just something you use here and there, can you share details?

https://news.ycombinator.com/edit?id=16146856

[lrvick]

Are you perhaps reflecting on the OSX experience a couple years ago? Things have really matured since then.

I have deployed yubikey 4 based ssh auth, commit signing, and password management to enigneering teams at 3 companies in the past 2+ years.

The Linux experience has always been solid and as of gpg 2.1+ and High Seirra mostly fixing their smartcard stack, I can say the OSX setup is now quite reliable as well.

For examples for ssh setup see: https://github.com/lrvick/security-token-docs/blob/master/Us...

Aside: I would -not- recommend Duo to anyone. Beyond putting your security entirely in the hands of a third party with unknown internal auditing and security practices, there is no way to disable SMS 2FA for the admin accounts and support has steadfastly ignored requests to allow this to be disabled. This means sim porting + phishing and you cna control a duo admin account. There is also no secure element componet involved with Duo so malware on the phone can bypass it if sophisticated attackers are in your threat profile.

[viraptor]

That's very much not my experience. I agree that the setup is harder than necessary and if you get something wrong the errors are not helpful. But once it works, it works. I've been using yubikey with gpg-agent for ssh auth for years and it generally just works. I've not seen the stability problems you experienced.

[thomashabets2]

This is much more stable for SSH than the article: https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physic... (and also has physical presence proof).

I've been using it for years on many machines. It's great. It's worked perfectly.

Yes, the gpg-agent solution proposed in the article (which is what I used before PIV) was less stable. Nowhere near as bad as you describe though.

[Shoothe]

OpenPGP applet on Yubikeys also have physical presence proof option: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_.... Crucial for safe ForwardAgent!

[drdaeman]

I don't know about Yubikeys, but with FST-01 SSH (via gpg-agent, essentially same setup as the linked article) just works. Using this for half an year and no complaints.

Sometimes it doesn't immediately see the key after reboot and I need to plug it out and plug back in. I think this usually happens when I dual-boot and switch between different OSes, as same-OS reboots are usually OK. Haven't exactly paid attention, though. I rarely reboot my desktop machine and I don't keep the key plugged into laptops.

Also, very rarely gpg-agent gets stuck and I have to KILLAGENT /bye. But I think that happens, maybe, once in 2 months or so. Docker (just a random example) gives me more headache.

[alibert]

I fixed most of my problem with the following command after plugging the key (Win and Linux):

`gpg --card-status` then wait for key status

That command starts everything related to GPG/SSH (daemon/agent).

[drdaeman]

This is essentially a diagnostic command, not really a fix ;)

For me, when gpg-agent gets "stuck", this command just fails. I forgot the exact message but it tells me that it can't find the device. `gpg-connect-agent KILLAGENT /bye` and then `gpg --card-status` (will automatically start a new gpg-agent daemon in the background) does the trick for me, but it's the first command that matters.

(Could be just `killall gpg-agent`, I guess)

Oh, I think on Windows, once I had to restart the Smartcards service, as restarting the agent haven't helped. Don't know what it was - I've experimented with OpenSC around that time so could be just about anything.

[craftyguy]

Where do you even find a FST-01 these days? (Besides building your own) It seems that they are no longer being made :(

[microtonal]

The NitroKey Start uses the same CPU (IIRC) and also runs the open gnuk firmware.

https://www.nitrokey.com/products/nitrokey-start

[lrvick]

dx has them: https://www.dx.com/p/seeed-fst-01-usb-32-bit-computer-bare-d...

[kiallmacinnes]

I've been using this setup daily for years, and, I've only 1 problem - annoying as hell - but something I can live with.

Whenever I use the key for U2F, the gpg access to the card will fail until I `killall -9 scdaemon`. I've had this same issue on both Ubuntu, and openSUSE. And yes, the -9 is necessary to actually kill the process and allow gpg to restart it.

As I said, annoying, but I can live with it.

Anyone else experienced this? Anyone found a fix?

[jopsen]

it doesn't happen to me.. using yubikey Nano.

maybe you have an older key?