Loading howto/yubikey.md +15 −29 Original line number Diff line number Diff line Loading @@ -117,26 +117,13 @@ often not supported by old devices and servers. Users who would like to to use their YubiKey to secure connections to such older SSH servers may use one of the modes below, in addition to native FIDO2 keys. ## SSH authentication in OpenPGP mode The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you to store cryptographic keys. The YubikKey 5 in particular supports ECC keys. [This guide](https://github.com/drduh/YubiKey-Guide) will allow you to use OpenPGP to store keys on the YubiKey and then use that key to authenticate to SSH servers. TPA may eventually sublime this rather long guide in a simpler version specifically tailored for you, possibly based on [anarcat's guide](https://anarc.at/blog/2015-12-14-yubikey-howto/#configuring-a-pin). Also review the [Ultimate Yubikey Setup Guide with ed25519!][] and the [other documentation](#other-documentation) section. [Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/ In particular, `-sk` keys are currently *not* supported by our [LDAP](howto/ldap) configuration, see [this ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166) for details. ## SSH RSA authentication in PIV mode This guide should be followed if you want to use SSH without depending on OpenPGP *and* FIDO2. on OpenPGP *or* FIDO2. ### Token setup Loading Loading @@ -212,26 +199,24 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`: IdentityAgent /dev/null IdentityFile ~/.ssh/id_ed25519_sk ## OpenPGP operations ## SSH authentication in OpenPGP mode YubiKeys can also be used for general operation with OpenPGP, regardless of purpose. For signatures, the operation is relatively similar to the [SSH guide above](#ssh-authentication-in-openpgp-mode), except there's no need to do any SSH-specific configuration. See below. WARNING: this is just a collection of notes, a draft that @anarcat is working on and which will hopefully evolve in a cohesive (and tested) guide. ## OpenPGP operations TODO: merge with the above SSH guide? The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you to store cryptographic keys. The YubikKey 5 in particular supports ECC keys. We use OpenPGP here because it's still the "standard" (e.g. specified in RFCs) way to do interoperable offline cryptographic operations in various locations. It's also heavily used at Tor and, until further notice, a requirement to get a working email account. Finally, the OpenPGP applet provides a way to use SSH with YubiKeys that is somewhat clunky, but doesn't suffer from backwards compatibility problems that the SSH `sk-` keys suffer from. notice, a requirement to get a working email account. Finally, the OpenPGP applet provides a way to use SSH with YubiKeys that is somewhat clunky, but doesn't suffer from backwards compatibility problems that the SSH `sk-` keys suffer from. The stack we going to setup is as follows: Loading Loading @@ -1163,6 +1148,7 @@ the secret key material is available on the backup YubiKey. Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) - untested * [TPA-RFC-53][] and [discussion ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083) [Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/ [TPA-RFC-53]: policy/tpa-rfc-53-security-keys [Yubikey + GnuPG + SSH howto]: https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a [drduh's YubiKey Guide]: https://github.com/drduh/YubiKey-Guide Loading Loading
howto/yubikey.md +15 −29 Original line number Diff line number Diff line Loading @@ -117,26 +117,13 @@ often not supported by old devices and servers. Users who would like to to use their YubiKey to secure connections to such older SSH servers may use one of the modes below, in addition to native FIDO2 keys. ## SSH authentication in OpenPGP mode The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you to store cryptographic keys. The YubikKey 5 in particular supports ECC keys. [This guide](https://github.com/drduh/YubiKey-Guide) will allow you to use OpenPGP to store keys on the YubiKey and then use that key to authenticate to SSH servers. TPA may eventually sublime this rather long guide in a simpler version specifically tailored for you, possibly based on [anarcat's guide](https://anarc.at/blog/2015-12-14-yubikey-howto/#configuring-a-pin). Also review the [Ultimate Yubikey Setup Guide with ed25519!][] and the [other documentation](#other-documentation) section. [Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/ In particular, `-sk` keys are currently *not* supported by our [LDAP](howto/ldap) configuration, see [this ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41166) for details. ## SSH RSA authentication in PIV mode This guide should be followed if you want to use SSH without depending on OpenPGP *and* FIDO2. on OpenPGP *or* FIDO2. ### Token setup Loading Loading @@ -212,26 +199,24 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`: IdentityAgent /dev/null IdentityFile ~/.ssh/id_ed25519_sk ## OpenPGP operations ## SSH authentication in OpenPGP mode YubiKeys can also be used for general operation with OpenPGP, regardless of purpose. For signatures, the operation is relatively similar to the [SSH guide above](#ssh-authentication-in-openpgp-mode), except there's no need to do any SSH-specific configuration. See below. WARNING: this is just a collection of notes, a draft that @anarcat is working on and which will hopefully evolve in a cohesive (and tested) guide. ## OpenPGP operations TODO: merge with the above SSH guide? The YubiKeys also ship with an "OpenPGP smartcard applet" that allows you to store cryptographic keys. The YubikKey 5 in particular supports ECC keys. We use OpenPGP here because it's still the "standard" (e.g. specified in RFCs) way to do interoperable offline cryptographic operations in various locations. It's also heavily used at Tor and, until further notice, a requirement to get a working email account. Finally, the OpenPGP applet provides a way to use SSH with YubiKeys that is somewhat clunky, but doesn't suffer from backwards compatibility problems that the SSH `sk-` keys suffer from. notice, a requirement to get a working email account. Finally, the OpenPGP applet provides a way to use SSH with YubiKeys that is somewhat clunky, but doesn't suffer from backwards compatibility problems that the SSH `sk-` keys suffer from. The stack we going to setup is as follows: Loading Loading @@ -1163,6 +1148,7 @@ the secret key material is available on the backup YubiKey. Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) - untested * [TPA-RFC-53][] and [discussion ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083) [Ultimate Yubikey Setup Guide with ed25519!]: https://zach.codes/ultimate-yubikey-setup-guide/ [TPA-RFC-53]: policy/tpa-rfc-53-security-keys [Yubikey + GnuPG + SSH howto]: https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a [drduh's YubiKey Guide]: https://github.com/drduh/YubiKey-Guide Loading
