... | ... | @@ -8,6 +8,8 @@ title: YubiKey setup |
|
|
|
|
|
## Use the PIV feature as a two-factor ssh-rsa key
|
|
|
|
|
|
### Token setup
|
|
|
|
|
|
YubiKey 5-series tokens, which support the [FIPS 201](https://en.wikipedia.org/wiki/FIPS_201)
|
|
|
standard also known as PIV, can be used as a convenient second factor to for ssh
|
|
|
public key authentication.
|
... | ... | @@ -62,3 +64,20 @@ touched to perform an authentication operation. This is especially useful when |
|
|
the token LED, which flashes when touch is requested, isn't well into view.
|
|
|
|
|
|
These instructions are spinned off from those found at: https://eta.st/2021/03/06/yubikey-5-piv.html
|
|
|
|
|
|
### Configure SSH
|
|
|
|
|
|
If not done already, now is a good time to setup the ssh configuration for the
|
|
|
TPO jump host, see [ssh-jump-host](/doc/ssh-jump-host/) for these instructions.
|
|
|
|
|
|
To have the `ssh` command use `yubikey-agent` when connecting to TPO hosts, add
|
|
|
this line in `~/.ssh/config` under `Host *.torproject.org`:
|
|
|
|
|
|
IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
|
|
|
|
|
|
If you also want to use `ed25519_sk`-type keys based on the modern FIDO2
|
|
|
protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`:
|
|
|
|
|
|
Host *
|
|
|
IdentityAgent /dev/null
|
|
|
IdentityFile ~/.ssh/id_ed25519_sk |