Changes
Page history
reorder SSH section of the yubikey guide to promote openpgp
authored
Aug 21, 2024
by
anarcat
This is to answer a recent onboarding question of "yes, i read the guide but what do *you* use?"
Hide whitespace changes
Inline
Side-by-side
howto/yubikey.md
View page @
385adfef
...
@@ -143,7 +143,23 @@ instructions:
...
@@ -143,7 +143,23 @@ instructions:
8.
If you have not already done so, generate and save the 2FA backup codes.
8.
If you have not already done so, generate and save the 2FA backup codes.
9.
Log out and log back in again, to verify the yubikey 2FA works.
9.
Log out and log back in again, to verify the yubikey 2FA works.
## SSH authentication in FIDO2 mode
## SSH authentication
You can use your YubiKey to authenticate with SSH servers using one
three "applets" provided by the device:
-
OpenPGP
-
FIDO2
-
PIV
### OpenPGP
You can (and probably should) use your YubiKey in OpenPGP mode to
authenticate with SSH servers. This, however, requires a more complex
setup than can fit in this section, see the
[
OpenPGP operations
section
](
#openpgp-operations
)
for details.
### FIDO2
Recent YubiKeys like the YubiKey 5 ship a "FIDO2" applet that is
Recent YubiKeys like the YubiKey 5 ship a "FIDO2" applet that is
generally used for two-factor authentication. But SSH also supports
generally used for two-factor authentication. But SSH also supports
...
@@ -165,7 +181,7 @@ the modes below, in addition to native FIDO2 keys.
...
@@ -165,7 +181,7 @@ the modes below, in addition to native FIDO2 keys.
In particular,
`-sk`
keys are currently
*not*
supported by our
In particular,
`-sk`
keys are currently
*not*
supported by our
[
LDAP
](
howto/ldap
)
configuration, see
[
this ticket
](
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166
)
for details.
[
LDAP
](
howto/ldap
)
configuration, see
[
this ticket
](
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166
)
for details.
##
SSH RSA authentication in PIV mode
##
# PIV
This guide should be followed if you want to use SSH without depending
This guide should be followed if you want to use SSH without depending
on OpenPGP
*or*
FIDO2.
on OpenPGP
*or*
FIDO2.
...
@@ -181,11 +197,11 @@ platform for websites. For modern SSH servers, the `ed25519-sk` key type is
...
@@ -181,11 +197,11 @@ platform for websites. For modern SSH servers, the `ed25519-sk` key type is
preferred.
preferred.
*
WARNING: because
`yubikey-agent`
requires exclusive access to the yubikey, this
*
WARNING: because
`yubikey-agent`
requires exclusive access to the yubikey, this
method is only practical when the
y
ubi
k
ey's OpenPGP interface is
**not**
used.
method is only practical when the
Y
ubi
K
ey's OpenPGP interface is
**not**
used.
Otherwise, the more practical solution is to use the OpenPGP interface with an
Otherwise, the more practical solution is to use the OpenPGP interface with an
authentication subkey that can be used as an SSH key pair.
*
authentication subkey that can be used as an SSH key pair.
*
### Token setup
###
#
Token setup
First, one must install
[
yubikey-manager
](
https://github.com/Yubico/yubikey-manager
)
.
First, one must install
[
yubikey-manager
](
https://github.com/Yubico/yubikey-manager
)
.
On Debian 11 (bullseye), a simple
`apt install yubikey-manager`
is sufficient. On
On Debian 11 (bullseye), a simple
`apt install yubikey-manager`
is sufficient. On
...
@@ -232,7 +248,7 @@ the token LED, which flashes when touch is requested, isn't well into view.
...
@@ -232,7 +248,7 @@ the token LED, which flashes when touch is requested, isn't well into view.
These instructions are spinned off from those found at: https://eta.st/2021/03/06/yubikey-5-piv.html
These instructions are spinned off from those found at: https://eta.st/2021/03/06/yubikey-5-piv.html
### Configure SSH
###
#
Configure SSH
If not done already, now is a good time to setup the ssh configuration for the
If not done already, now is a good time to setup the ssh configuration for the
TPO jump host, see
[
ssh-jump-host
](
/doc/ssh-jump-host/
)
for these instructions.
TPO jump host, see
[
ssh-jump-host
](
/doc/ssh-jump-host/
)
for these instructions.
...
@@ -249,10 +265,6 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`:
...
@@ -249,10 +265,6 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`:
IdentityAgent /dev/null
IdentityAgent /dev/null
IdentityFile ~/.ssh/id_ed25519_sk
IdentityFile ~/.ssh/id_ed25519_sk
## SSH authentication in OpenPGP mode
See below.
## OpenPGP operations
## OpenPGP operations
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows
...
...
...
...
