Hacker News new | ask | show | jobs
by alias_neo 2182 days ago
Can I do this with a Yubikey?

Last time I tried there were a few, more complex commands than this. Could I use a udev rule to add my SSH keys as the device is plugged so I don't have to run anything?

I think I was using PIV last time.
2 comments
StavrosK 2182 days ago
Yes you can, SSH 8.3ish uses FIDO2 and doesn't do anything Yubikey-specific. That means you don't have to bother with all the agent stuff, and it works with any dirt-cheap FIDO2 key.

EDIT: I'm going to post a writeup tomorrow detailing how to do this, because it's wonderful and super secure.

link
alias_neo 2182 days ago
Thanks, going to look into it more tonight, see if I can get a 5C setup.
link
StavrosK 2182 days ago
It is literally just the two commands, I can send them to you when I'm at the pc. I have a 5C too.
link
alias_neo 2182 days ago
That'd be great, thanks. I'll have to do a follow up to my blog post: [SSH 2-Factor's First Factor](https://2byt.es/post/totp2/) once I've had a play.
link
ta17711771 2182 days ago
Have Nitro keys on the way. Looking forward to your writeup, mate.
link
StavrosK 2181 days ago
It is here! https://news.ycombinator.com/item?id=23689499
link
tialaramex 2182 days ago
Yes, any vaguely modern YubiKey implemented FIDO2 which is what you need.

However you need fairly modern OpenSSH (this year) for both clients and servers. Both need to be upgraded because the authentication protocol itself is different, so an older server has no idea how to authenticate with FIDO2.

To get the behaviour the parent describes you must make sure to follow the instructions for resident keys, and these instructions won't work on cheaper FIDO (not FIDO2) devices that designed be used as second factors. Without resident keys the authenticator only works when at the computer you used to enrol it, which is fine for a personal workstation/ laptop but not great if you need to roam.

link
alias_neo 2182 days ago
Thanks, I have a few 5C's so they should be new enough, I'll need to check my laptop/desktop to make sure SSH is new enough (I run Ubuntu 20.04/Manjaro respectively).

My servers most likely aren't, but I run most of my workloads in Docker or Kubernetes so it's just a matter of time to get them all updated.

link
StavrosK 2182 days ago
Not strictly true, you can copy the "private" key (just a pairing file for the dongle) around and still use the USB key fine with it.
link