Hacker News new | ask | show | jobs
by xaduha 2178 days ago
You're using yubikey agent or ykcs11 or yubico-piv-tool or somesuch nonsense most likely that actually provides PKCS#11. That is it wraps whatever PIV is supposed to do and gives you PKCS#11 interface. I'm talking about something that isn't Yubico specific and provides PKCS#11 and PKCS#15 with OpenSC straight ootb.

e.g. issues that described here are avoided https://github.com/FiloSottile/yubikey-agent#alternatives
1 comments
knorker 2177 days ago
I'm using opensc straight of the box, with vanilla SSH. I am using ssh-agent, but it works just as well without it.

I can pop my yubikey into a plain vanilla install of Linux and run "ssh -oPKCS11Provider=/path/to/opensc-pkcs11.so user@host.com".

Or just put this into your ~/.ssh/config

Host *

  PKCS11Provider /path/to/opensc-pkcs11.so
Or on a Windows plain vanilla system I just pop the key in and tell putty-cryptoapi to use "the smartcard key". Windows pops up my pinentry dialog, then I touch to verify physical presence, and in I go.

I agree that the gpg-agent way is yuck. But I still don't understand what you mean about the PKCS#11 way though. Yes, setting up the key required yubico tooling. Is that what you're talking about?

link
xaduha 2177 days ago
I never owned a yubikey and things probably changed over the years also since I last looked into it. But even so what you have there is a proprietary applet with lots of extensions https://developers.yubico.com/PIV/Introduction/Yubico_extens...

If it works with OpenSC out of the box, then that's because Yubico made it to work. I pretty sure that if you tried to use a publicly available PIV applet that does its PIV duties in accordance with the specs you are not going to have a good time trying to pair it with OpenSSH.

link
knorker 2177 days ago
Well… do you still say that it's not particularly well suited, then?

If yes, then why?

link
xaduha 2177 days ago
Decide for yourself, PIV is an old and sprawling monstrosity and if you go from the specs, then no, it's not particularly suited for this relatively simple task. Proprietary PIV applet made by Yubico might be, but is that a good thing? Not in my book when they easily could've done what Philip Wendland did there with IsoApplet, having several applets and switching between them is basic stuff.
link