... | ... | @@ -83,9 +83,27 @@ instructions: |
|
|
|
|
|
TODO
|
|
|
|
|
|
## SSH authentication in FIDO2 mode
|
|
|
|
|
|
Recent YubiKeys like the YubiKey 5 ship a "FIDO2" applet that is
|
|
|
generally used for two-factor authentication. But SSH also supports
|
|
|
using that to store SSH keys, which can therefore be used to
|
|
|
authenticate against servers.
|
|
|
|
|
|
[This Yubico guide](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html) shows you how to configure such keys,
|
|
|
recognizable from their `-sk` suffix (e.g. `ed25519-sk`).
|
|
|
|
|
|
This is the recommended method for users who want to use their YubiKeys for SSH
|
|
|
connections to GitLab, GitHub, Debian servers, etc.
|
|
|
|
|
|
It should be noted that the `-sk` SSH keys are relatively new, and as such are
|
|
|
often not supported by old devices and servers. Users who would like to to use
|
|
|
their YubiKey to secure connections to such older SSH servers may use one of
|
|
|
the modes below, in addition to native FIDO2 keys.
|
|
|
|
|
|
## SSH authentication in OpenPGP mode
|
|
|
|
|
|
The YubiKeys ship with an "OpenPGP smartcard applet" that allows you
|
|
|
The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you
|
|
|
to store cryptographic keys. The YubikKey 5 in particular supports ECC
|
|
|
keys.
|
|
|
|
... | ... | @@ -94,24 +112,8 @@ YubiKey and then use that key to authenticate to SSH servers. TPA may |
|
|
eventually sublime this rather long guide in a simpler version
|
|
|
specifically tailored for you, possibly based on [anarcat's guide](https://anarc.at/blog/2015-12-14-yubikey-howto/#configuring-a-pin).
|
|
|
|
|
|
## SSH authentication in FIDO2 mode
|
|
|
|
|
|
Recent YubiKeys like the YubiKey 5 also ship a "FIDO2" applet that is
|
|
|
generally used for two-factor authentication. But SSH also supports
|
|
|
using that to store SSH keys, which can therefore be used to
|
|
|
authenticate against servers.
|
|
|
|
|
|
[This Yubico guide](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html) shows you how to configure such keys,
|
|
|
recognizable from their `-sk` suffix (e.g. `ed25519-sk`). TPA may
|
|
|
eventually provide a guide for this here as well.
|
|
|
|
|
|
## SSH RSA authentication in PIV mode
|
|
|
|
|
|
⚠ This guide is deprecated and the above procedures should followed
|
|
|
instead. ⚠
|
|
|
|
|
|
TODO: document why
|
|
|
|
|
|
### Token setup
|
|
|
|
|
|
YubiKey 5-series tokens, which support the [FIPS 201](https://en.wikipedia.org/wiki/FIPS_201)
|
... | ... | |