... | ... | @@ -117,26 +117,13 @@ often not supported by old devices and servers. Users who would like to to use |
|
|
their YubiKey to secure connections to such older SSH servers may use one of
|
|
|
the modes below, in addition to native FIDO2 keys.
|
|
|
|
|
|
## SSH authentication in OpenPGP mode
|
|
|
|
|
|
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you
|
|
|
to store cryptographic keys. The YubikKey 5 in particular supports ECC
|
|
|
keys.
|
|
|
|
|
|
[This guide](https://github.com/drduh/YubiKey-Guide) will allow you to use OpenPGP to store keys on the
|
|
|
YubiKey and then use that key to authenticate to SSH servers. TPA may
|
|
|
eventually sublime this rather long guide in a simpler version
|
|
|
specifically tailored for you, possibly based on [anarcat's guide](https://anarc.at/blog/2015-12-14-yubikey-howto/#configuring-a-pin).
|
|
|
|
|
|
Also review the [Ultimate Yubikey Setup Guide with ed25519!][] and
|
|
|
the [other documentation](#other-documentation) section.
|
|
|
|
|
|
[Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/
|
|
|
In particular, `-sk` keys are currently *not* supported by our
|
|
|
[LDAP](howto/ldap) configuration, see [this ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166) for details.
|
|
|
|
|
|
## SSH RSA authentication in PIV mode
|
|
|
|
|
|
This guide should be followed if you want to use SSH without depending
|
|
|
on OpenPGP *and* FIDO2.
|
|
|
on OpenPGP *or* FIDO2.
|
|
|
|
|
|
### Token setup
|
|
|
|
... | ... | @@ -212,26 +199,24 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`: |
|
|
IdentityAgent /dev/null
|
|
|
IdentityFile ~/.ssh/id_ed25519_sk
|
|
|
|
|
|
## OpenPGP operations
|
|
|
## SSH authentication in OpenPGP mode
|
|
|
|
|
|
YubiKeys can also be used for general operation with OpenPGP,
|
|
|
regardless of purpose. For signatures, the operation is relatively
|
|
|
similar to the [SSH guide above](#ssh-authentication-in-openpgp-mode), except there's no need to do any
|
|
|
SSH-specific configuration.
|
|
|
See below.
|
|
|
|
|
|
WARNING: this is just a collection of notes, a draft that @anarcat is
|
|
|
working on and which will hopefully evolve in a cohesive (and tested)
|
|
|
guide.
|
|
|
## OpenPGP operations
|
|
|
|
|
|
TODO: merge with the above SSH guide?
|
|
|
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows
|
|
|
you to store cryptographic keys. The YubikKey 5 in particular supports
|
|
|
ECC keys.
|
|
|
|
|
|
We use OpenPGP here because it's still the "standard" (e.g. specified
|
|
|
in RFCs) way to do interoperable offline cryptographic operations in
|
|
|
various locations. It's also heavily used at Tor and, until further
|
|
|
notice, a requirement to get a working email account. Finally, the
|
|
|
OpenPGP applet provides a way to use SSH with YubiKeys that is
|
|
|
somewhat clunky, but doesn't suffer from backwards compatibility
|
|
|
problems that the SSH `sk-` keys suffer from.
|
|
|
notice, a requirement to get a working email account.
|
|
|
|
|
|
Finally, the OpenPGP applet provides a way to use SSH with YubiKeys
|
|
|
that is somewhat clunky, but doesn't suffer from backwards
|
|
|
compatibility problems that the SSH `sk-` keys suffer from.
|
|
|
|
|
|
The stack we going to setup is as follows:
|
|
|
|
... | ... | @@ -1163,6 +1148,7 @@ the secret key material is available on the backup YubiKey. |
|
|
Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) - untested
|
|
|
* [TPA-RFC-53][] and [discussion ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083)
|
|
|
|
|
|
[Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/
|
|
|
[TPA-RFC-53]: policy/tpa-rfc-53-security-keys
|
|
|
[Yubikey + GnuPG + SSH howto]: https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a
|
|
|
[drduh's YubiKey Guide]: https://github.com/drduh/YubiKey-Guide
|
... | ... | |