... | ... | @@ -83,8 +83,35 @@ instructions: |
|
|
|
|
|
TODO
|
|
|
|
|
|
## SSH authentication in OpenPGP mode
|
|
|
|
|
|
The YubiKeys ship with an "OpenPGP smartcard applet" that allows you
|
|
|
to store cryptographic keys. The YubikKey 5 in particular supports ECC
|
|
|
keys.
|
|
|
|
|
|
[This guide](https://github.com/drduh/YubiKey-Guide) will allow you to use OpenPGP to store keys on the
|
|
|
YubiKey and then use that key to authenticate to SSH servers. TPA may
|
|
|
eventually sublime this rather long guide in a simpler version
|
|
|
specifically tailored for you.
|
|
|
|
|
|
## SSH authentication in FIDO2 mode
|
|
|
|
|
|
Recent YubiKeys like the YubiKey 5 also ship a "FIDO2" applet that is
|
|
|
generally used for two-factor authentication. But SSH also supports
|
|
|
using that to store SSH keys, which can therefore be used to
|
|
|
authenticate against servers.
|
|
|
|
|
|
[This Yubico guide](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html) shows you how to configure such keys,
|
|
|
recognizable from their `-sk` suffix (e.g. `ed25519-sk`). TPA may
|
|
|
eventually provide a guide for this here as well.
|
|
|
|
|
|
## SSH RSA authentication in PIV mode
|
|
|
|
|
|
⚠ This guide is deprecated and the above procedures should followed
|
|
|
instead. ⚠
|
|
|
|
|
|
TODO: document why
|
|
|
|
|
|
### Token setup
|
|
|
|
|
|
YubiKey 5-series tokens, which support the [FIPS 201](https://en.wikipedia.org/wiki/FIPS_201)
|
... | ... | |