Hacker News new | ask | show | jobs
by m3nu 2608 days ago
(Title needs the year since the article is from 2017.)

For keeping SSH keys, the PIV module seems a bit simpler than GPG. I just went through the process myself.[1]

They should also mention FIDO U2F, which already works well with Google, AWS and Github among others. Implementing it for your own site also seems doable.

1: https://blog.snapdragon.cc/2019/04/27/using-a-yubikey-to-sec...
4 comments
streety 2608 days ago
Very doable. I have FIDO U2F set up on my personal site and wrote a barebones example at https://jonathanstreet.com/blog/flask-second-factor-authenti...

I've thought about adding support for remembering devices but using the token is so easy it's just not a priority.

link
tomatocracy 2608 days ago
Agreed - in particular because PIV doesn’t prevent other apps subsequently using the device as gpg-agent does (necessitating unplugging and replacing it in the USB port).

On the flip side, with PIV there’s no way I’ve seen to have it allow access for a short period of time (eg the way gpg can cache the pin for a set number of seconds) instead of per request which can get a bit annoying if you are invoking ssh repeatedly (which I seem to do a fair bit).

Would also reference the excellent yubioath tool for adding TOTP passwords on sites which don’t support FIDO/U2F - it’s very very easy to use and if you have an Android phone and an NFC enabled yubikey you can use there too.

https://developers.yubico.com/yubioath-desktop/

link
LIV2 2608 days ago
You can configure "--touch-policy=cached" when importing/generating a private key using the cli PIV management utility which will cache touches for 10 seconds Not sure why it's not exposed in the GUI though

https://developers.yubico.com/yubico-piv-tool/Manuals/yubico...

link
ryukafalz 2608 days ago
>Agreed - in particular because PIV doesn’t prevent other apps subsequently using the device as gpg-agent does (necessitating unplugging and replacing it in the USB port).

I believe this is no longer the case? At least with current GPGTools on macOS, I leave a Yubikey Nano in one of my USB ports and use it for both GPG and U2F without issue.

link
ryukafalz 2608 days ago
>For keeping SSH keys, the PIV module seems a bit simpler than GPG.

If you're only using it for SSH, sure. If you also want commit signing, though, you'll need to set up GPG anyway.

link
EngineerBetter 2608 days ago
Apologies - I updated the post today to include the commit signing, and didn't think about the date of the parent post.
link