One Key to Rule It All [YubiKey+GPG-SSH+FIDO2+MFA-ZeroTrust]

y’all got me conviced so i ordered my own yubikey today.

i’ll be back later with all my problems

5 Likes

Haha well we welcome them. I’m loving the attention this got. Seems I guessed the right topic with the lack of apparent surface knowledge :smiley:

You can do some much with these

@HaaStyleCat show the post your usual love :sweat_smile:. Hopefully your wife let’s you get a couple keys too. (Don’t make it a top priority) but they are nice

1 Like

I ended up getting Solo Keys instead of Yubi, I liked the Open Source aspect. The first gen can’t do as much but it appears that their 2nd gen can basically do everything Yubi keys can. Just waiting on my 2nd gen key to show up and hopefully I’ll be able to do a lot more with it, namely using it for SSH.

SoloKeys

3 Likes

I do like things open source but I realize with somethings that are firmware writeable that becomes a exploit surface particularly if I am storing them off site but yes the Solo 2nd gens are like the yubikey first gen. A long way to go but very promising. I look forward to seeing what they provide in the future.

Awesome write up! Lots for me to learn here.

When I tried to do Linux and Windows login 2fa with my Yubikey a few months ago I ended up using the challenge-response in the second slot since I couldn’t figure out how to get FIDO2/U2F to work for those purposes. Looks like you got it working in Linux, at least, so I’ll have to give it another shot.

1 Like

Yup just need the Pam module for fido2 and on Linux you need the fido2 library. That’s all really.

Windows is a different beast but windows hello as of 2020 I believe supports it. It will not work on ltsc enterprise

Sorry all on vacation rn, return Tuesday. Responses limited

1 Like

Thank you for sharing this. I’ve been (passively) looking for this info for a couple of years. And I just happened to stumble upon it while looking for something completely different. Funny how it always seems to happen that way.

2 Likes

for-sure-amos-burton

Hope you get use out of it

Welcome to the forum

1 Like

Do we have the @SgtAwesomesauce exactly what I needed in my life endorsement :wink:

Tell me what I need to clarify above?

I mean, I’ve been using it for all of 5 minutes, so if that’s anything to go off of, then yes.

I’ll update with my thoughts in a bit. Both recommendations for guide improvement and thoughts on daily usage.

1 Like

Okay cool yeah I just want to make sure I get those updated so it’s not confusing

It’s good to know the information hasn’t changed in terms of the procedure

1 Like

you know what I forgot that your gonna be messaging me how the fuck on

LOL

On any new machine since you cant export the key

Read the key info to be sure the card is connected:

gpg2 --card-status

Fetch the private key on the smartcard: It will download the public key if you don’t have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent 
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK 
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -L

If no, try the gpg2 --card-status again. If the card is present you should have the key listed. It should take some time to list the keys in the agent if the syste is using GPG.

Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status . If you keep your Yubikey inserted when you reimport the public key you’ll have a “no secret key” issue.

1 Like

Humble brag but I love how easy it makes ssh

1 Like

I gotta get mine set up

1 Like

that should be your next presentation/paper.

Talking about zero trust and multifactor auth … physical security that integrates into everything

2 Likes

You right. I also need to get a blog set up on my website so when I do this stuff I can have a digital resume.

1 Like

Yeah, I kinda figured that was the process, but I appreciate it being written down.

So how do I upload my pubkey to a keyserver? I can figure this out, but that should be in the guide

2 Likes

Wow, loving the guide - I’m going to set this up as well. Thanks so much for putting all this together. I will be trying this on Fedora, I doubt anything should be too different (fingers crossed).

Have you played much with Vault by Hashicorp? I’ve got a personal “lab” stack running with Consul and PKI/mTLS; if one wanted to take this to the next level, you could rotate secrets through that, or say AWS key management service. It’ll just be another layer on top.

1 Like

try gpg2 --keyserver <KEYSERVER> --send-keys <PUBLIC_KEY_ID> .

2 Likes