Changes
Page history
reorder SSH section of the yubikey guide to promote openpgp
authored
Aug 21, 2024
by
anarcat
This is to answer a recent onboarding question of "yes, i read the guide but what do *you* use?"
Show whitespace changes
Inline
Side-by-side
howto/yubikey.md
View page @
385adfef
...
...
@@ -143,7 +143,23 @@ instructions:
8.
If you have not already done so, generate and save the 2FA backup codes.
9.
Log out and log back in again, to verify the yubikey 2FA works.
## SSH authentication in FIDO2 mode
## SSH authentication
You can use your YubiKey to authenticate with SSH servers using one
three "applets" provided by the device:
-
OpenPGP
-
FIDO2
-
PIV
### OpenPGP
You can (and probably should) use your YubiKey in OpenPGP mode to
authenticate with SSH servers. This, however, requires a more complex
setup than can fit in this section, see the
[
OpenPGP operations
section
](
#openpgp-operations
)
for details.
### FIDO2
Recent YubiKeys like the YubiKey 5 ship a "FIDO2" applet that is
generally used for two-factor authentication. But SSH also supports
...
...
@@ -165,7 +181,7 @@ the modes below, in addition to native FIDO2 keys.
In particular,
`-sk`
keys are currently
*not*
supported by our
[
LDAP
](
howto/ldap
)
configuration, see
[
this ticket
](
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166
)
for details.
##
SSH RSA authentication in PIV mode
##
# PIV
This guide should be followed if you want to use SSH without depending
on OpenPGP
*or*
FIDO2.
...
...
@@ -181,11 +197,11 @@ platform for websites. For modern SSH servers, the `ed25519-sk` key type is
preferred.
*
WARNING: because
`yubikey-agent`
requires exclusive access to the yubikey, this
method is only practical when the
y
ubi
k
ey's OpenPGP interface is
**not**
used.
method is only practical when the
Y
ubi
K
ey's OpenPGP interface is
**not**
used.
Otherwise, the more practical solution is to use the OpenPGP interface with an
authentication subkey that can be used as an SSH key pair.
*
### Token setup
###
#
Token setup
First, one must install
[
yubikey-manager
](
https://github.com/Yubico/yubikey-manager
)
.
On Debian 11 (bullseye), a simple
`apt install yubikey-manager`
is sufficient. On
...
...
@@ -232,7 +248,7 @@ the token LED, which flashes when touch is requested, isn't well into view.
These instructions are spinned off from those found at: https://eta.st/2021/03/06/yubikey-5-piv.html
### Configure SSH
###
#
Configure SSH
If not done already, now is a good time to setup the ssh configuration for the
TPO jump host, see
[
ssh-jump-host
](
/doc/ssh-jump-host/
)
for these instructions.
...
...
@@ -249,10 +265,6 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`:
IdentityAgent /dev/null
IdentityFile ~/.ssh/id_ed25519_sk
## SSH authentication in OpenPGP mode
See below.
## OpenPGP operations
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows
...
...
...
...
