|
|
|
|
|
|
by Disposition
2225 days ago
|
|
|
PKCS#11 is extremely versatile, with some configuration you can use Yubikey PIV X.509 keys to authenticate SSH sessions by passing the necessary pkcs11 lib to ssh with the -I flag. PKCS#11 isolates the key signing from the PC by doing any private key computation operations on the secure element, this prevents leakage of the private key by traditional means. Browser TLS client authentication is also possible with some minimal initial setup of your browser of choice.
You can use openssl with a pkcs11 engine for any X.509 operations you might think of (e.g. PKI, S/MIME email signing, etc.)—technically you could use the PIV applet to store web server TLS keys and have Nginx use those through OpenSSL via the pkcs11 engine, though it would probably slow down handshaking as the throughput and signing speed of a Yubikey is orders of magnitude slower than any modern general purpose CPU. Many people don't know that Yubikeys also run a OpenPGP card applet for storing up to 3 key pairs. With the ssh option of gpg-agent it can also be used for SSH authentication just like ssh-agent. I use this in combination with a Yubikey configuration setting requiring all GPG sign operations to be confirmed within 10 seconds by pressing the capacitive touch button on my YK4 nano (LED blinks during this time to prompt). This way I can safely enable agent forwarding globally as all SSH session authentication requires physical interaction to confirm (provided you don't have any file-based keys in the same agent which are still vulnerable to usage without your knowledge via this functionality). |
|
|