[lrvick]

I feel the author missed a critical step.

You want to enable user interaction flags to defend against someone with remote access to your machine.

  $ ykman openpgp touch aut fix
  $ ykman openpgp touch enc fix
  $ ykman openpgp touch sig fix

This will require the yuibikey be physically touched for each sign/decrypt/ssh operation which while simple is something a remote attacker can't perform.

For more detailed notes from me deploying commit signing and ssh via yubikey at three orgs see: https://github.com/lrvick/security-token-docs

* Edit: you want to use "fix" instead of "on" to prevent an attacker from just turning it off again.

[jlgaddis]

Instead of using those backticks (which don't work here), indent each line by two spaces. It'll render like this:

  $ ykman openpgp touch aut fix
  $ ykman openpgp touch enc fix
  $ ykman openpgp touch sig fix

Edited after parent's edit: s/on$/fix/g

[lrvick]

Fixed, thanks.

[lima]

Warning: "fix" is permanent.

(that's the whole point of it)

[atmoz]

> you want to use "fix" instead of "on" to prevent an attacker from just turning it off again.

An attacker also must know you admin PIN (required to change this setting), so there is really no need to use "fix" instead of "on". To be able to toggle this off, you must reset your yubikey (paraphrasing the docs).