Hacker News new | ask | show | jobs
by knorker 2178 days ago
Waited 10 years? Why didn't you just use a yubikey in PIV mode, or the yubikey with gpg, or a smartcard, or… I've been using a yubikey PIV for, hmm… at least 5 years.

Sure, a FIDO key is cheaper.
2 comments
xaduha 2178 days ago
BTW both PIV and GPG in Yubikeys are just applets and not particularly suited for SSH use either. Proper applet for it is this one https://github.com/philipWendland/IsoApplet, if you can install it of course.

Some get confused or have bad associations when hearing the word 'applet', but that is what they are, as in 'Java applet'.

This one is too https://developers.yubico.com/ykneo-oath/Releases/

link
knorker 2178 days ago
What makes you say it's not particularly suited for SSH?
link
xaduha 2178 days ago
Because they were made for a different purpose, with extra hoops you need to jump through.
link
knorker 2178 days ago
U2F was made for a different purpose too.

I don't see what's so extra hoop-y about telling SSH "use key from industry standard PKCS#11". That's literally what it's there for, and when Yubico added PIV support that instantly added support to multiple operating systems (incl Linux & Windows) where SSH keys "just work".

I can take a yubikey today from my Linux system, plug it into a Windows machine, and Putty with wincrypt support "just works". Because that's how it was designed.

link
xaduha 2178 days ago
You're using yubikey agent or ykcs11 or yubico-piv-tool or somesuch nonsense most likely that actually provides PKCS#11. That is it wraps whatever PIV is supposed to do and gives you PKCS#11 interface. I'm talking about something that isn't Yubico specific and provides PKCS#11 and PKCS#15 with OpenSC straight ootb.

e.g. issues that described here are avoided https://github.com/FiloSottile/yubikey-agent#alternatives

link
knorker 2177 days ago
I'm using opensc straight of the box, with vanilla SSH. I am using ssh-agent, but it works just as well without it.

I can pop my yubikey into a plain vanilla install of Linux and run "ssh -oPKCS11Provider=/path/to/opensc-pkcs11.so user@host.com".

Or just put this into your ~/.ssh/config

Host *

  PKCS11Provider /path/to/opensc-pkcs11.so
Or on a Windows plain vanilla system I just pop the key in and tell putty-cryptoapi to use "the smartcard key". Windows pops up my pinentry dialog, then I touch to verify physical presence, and in I go.

I agree that the gpg-agent way is yuck. But I still don't understand what you mean about the PKCS#11 way though. Yes, setting up the key required yubico tooling. Is that what you're talking about?

link
closeparen 2178 days ago
OpenSSH doesn't do X.509, how would PIV mode or a smartcard help?
link
Xylakant 2178 days ago
Yubikeys work in PIV mode with openssh, it just requires the necessary module and some invocation dance with ssh-agent https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PK... or Filippo Valsordas yubikey-agent https://github.com/FiloSottile/yubikey-agent
link
knorker 2177 days ago
What invocation dance?

This works:

"ssh -oPKCS11Provider=/path/to/opensc-pkcs11.so user@host.com"

Or you place that in your ~/.ssh/config

Host *

  PKCS11Provider /path/to/opensc-pkcs11.so
link
knorker 2178 days ago
Another guide, that doesn't even require yubico's PKCS11 module: https://ruimarinho.gitbooks.io/yubikey-handbook/content/ssh/...
link