One Key to Rule It All [YubiKey+GPG-SSH+FIDO2+MFA-ZeroTrust]

Yeah I guess I left that out.

My original reasoning was there were 3 different ways and 2 different types of keyservers at the time but I think that’s changed. Let me find the more reliable/widespread way and I’ll add that in

The issue was the older SKS type gpg keys are now finally dead so that’s resolved… New standalone servers such as keys.openpgp.org (since 2018). This particular server does not synchronize with others, and requires key owners to opt-in to being published so it’s something to be aware of.

I’ll get this written in. At the time of writing it was a total mess. It was hard to recommend either direction… Some keyservers, such as Ubuntu keyserver, had replaced SKS with more modern and reliable software such as Hockeypuck. They do however still synchronize with the SKS pool which is both bad and good and functionality is less than stellar adding onto the issue… lol one of the oldest remaining keyservers is pgp.mit.edu (now running SKS software, previously PKS for a long time). It synchronizes with the SKS Keyserver Pool. Which is dead as of 2021 so what a mess

The old PGP Global Directory is still online, untouched since 2011. It is not part of the SKS pool and doesn’t sync with other servers which adds to the publicity problem.

The SKS software has been written to accept anything that looks vaguely like a PGP key packet to and store it forever. Its “gossip” protocol only exchanges new packets, but by design has no way to propagate deletions. Which COMPOUNDS the shit out of the issue with publications… and has caused problems for a long time, but started getting massively abused in 2018, which eventually led to the SKS Keyserver Pool’s destruction. Most new keyservers don’t have synchronization partly because they want to figure out how to combine opposing goals from what I know

I hope that captures my concern prior with telling people what server to use and how lol

1 Like

I’ve ordered 3x of the Series 5 NFC keys. Is it advisable to not use the NFC feature? Which NFC-usb receiver would you recommend?

P.S. as a hobbyist with an EEE background I wanted to improve my RF knowledge, as such recently picked up a fully-unlocked Rohde&Schwarz FCP1500. Only 3GHz but at least it serves within the range I plan to play in, tuning PCB antennas and other VNA/VSWR type measurements. Basic stuff with amplifiers, RF tx/rx stuff etc. Thought I’d share this as you’re a pro RF engineer - bet you get to use the best Fieldfox equipment etc. Must be a lot of fun!

1 Like

I don’t actually. I use a lot of specialize test equipment and tooling as the stuff I work on is a lot Ka Ku and V band stuff.

The R&S is good. Always good stuff from them.

RF knowledge isn’t esoteric so to speak it’s just more math than people are willing to do and consider professionally gaha.

There’s a couple interesting little hobbyist devices for low end stuff if your interested. It’s not going to be as great as the good test equipment but it’s cool for what it does and the price

Upgraded NanoVNA-F V2 Vector Network Analyzer 50kHz-3000MHz HF VHF UHF VNA Antenna Analyzer 4.3 inch with 5000mAh,Measuring S-Parameter Voltage SWR, Phase, delay, Smith Chart https://www.amazon.com/dp/B0825PZNJJ/ref=cm_sw_r_apan_glt_fabc_9YAHATAERQBKRQCS599G?_encoding=UTF8&psc=1

1 Like

Well my guess was that you’d be doing something in the 50GHz+ (mm-wave) range, heh.

Thanks for the tip on the NanoVNA; the FPC1500 I got has a tracking generator and should cover the basics. Only got it a few weeks back and sitting an waiting for various couplers/cables to arrive. 20dB attenuator, N-type Male to SMA cables etc etc.

Oh yes, I vaguely recall parts of the RF 101 course I had at Uni, but I was more interested in C++/microcontrollers. Hence dabbling in it now purely out of interest/curiosity.

1 Like

I turned off nfc for gpg but need other stuff to work with my phone so left it on.


I recently automated the gpg process (key creation and copying to card). For whatever reason, the yubikey behavior of caching the admin pin (puk) was different between macOS (where I developed the scripts) and OpenBSD (where I ran the scripts for myself). I haven’t tested it in Linux yet, but it did not work reliably in OpenBSD… Still I think these scripts can be useful as reference. A lot of the gpg functionality is poorly documenting imo.

I went with RSA4096 and used a 3rd secondary key for authentication instead of including it on the master key, but otherwise pretty similar to your guide @PhaseLockedLoop.

3 Likes

Nice dude that’s awesome. NFC could be a concern if you didn’t protect with access pins. I did

In regards to RSA. I’ve moved away from RSA entirely. If something doesn’t want to work for me or doesn’t like me for doing so I won’t support them

Elliptic curve is sooo much more efficient! And a great deal stronger

2 Likes

I occasionally run across something that doesn’t support ed25519 (like old swiches). Nobody is cracking rsa4096 anytime soon.

Definitely is slower though.

2 Likes

Awesome writeup! Also I couldn’t help but notice that CAC - I assume you have an alt token or two? I’m having a hell of a time, have tried cackey and such to no avail. In windows the HID crescendo driver is required and HID doesn’t appear to make the driver available for linux.

Hi all,

Thanks to @oO.o for his awesome scripts, which I used to get started. I took a slightly different approach though, where I wanted the GPG identity/key generation to be decoupled from the Yubikey upload process.

You’ll find a slightly modified script here with docs GitHub - bsodmike/Yubikey-GPG-SSH-FIDO2-MFA-ZeroTrust

This script also uses ED25519 and Curve25519. What’s nice about @oO.o’s script is that it also generates the various revocation certs, and saved me a lot of time having to script those bits.

Running on Fedora with fish as my main shell (although that should’t matter, the scripts should use sh) I found the bash ${1-somedefaultvalue} to throw some errors. I didn’t have too much time to investigate this, so I rewrote the iterative blocks where the keys and files are copied.

Quick tip!

When switching keys, running gpg-connect-agent "scd serialno" "learn --force" /bye updates the local stub to the currently connected key.

Many thanks to @PhaseLockedLoop! I’ve got SSH & Git working, will look at the rest in due course.

3 Likes

For every action I now have to provide the basic PIN; I wish I could push that into biometric scanning. I guess I shouldn’t write that PIN on a post-it and stick it on my monitor :wink:

I’m breaking a few rules and using something like LastPass to store the PINs etc. (intentionally not revealing what I used).

2 Likes

That’s weird. I need to confirm that is posix…

2 Likes

Im not a fan of biometrics. Way too easy to spoof save iris scans

1 Like

My extra keys are backups. But yes this is precisely how you would do so. If someone is ever around me and they see me pull a key from my parents safe. Well its a safe bet the sky is falling

1 Like

Mike was suggesting Bio as a replacement for a Pin.
Pin (marginally) easier to crack / copy and replicate than an iris,

But one can change a pin later, if needed.

like, I could be wrong. And an iris scan is not Hard to replicate. A pin is a bit easier to do, is all I was thinking

1 Like

As I understand it, this is the only way to recover from locking the Admin PIN (via failed attempts) – please correct me if I’m wrong.

This would also reset the simple PIN. My assumption is this would effectively reset the GPG applet, which means you would loose all config and keys that have been copied over as well.

This is fine for us as we always have a backup of the GPG keys/certs and everything can be reset and copied over again - but this is the only way to recover by way of loosing or getting locked out via PIN access (as far as I’m aware?).

To make things easier you may want to create a script. To do so, put the following into a script file and run it using gpg-connect-agent (gpg-connect-agent -r FILE).
Ref: ResetApplet

 /hex
 scd serialno
 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
 scd apdu 00 e6 00 00
 scd apdu 00 44 00 00
 /echo Card has been successfully reset.
1 Like

Yes but I didnt include it. I wanted the warning to make sure people did it right and setup and pin and remembered it.

Constantly clearing the card isnt good for it to my knowledge (limited writes) (IDK what the lifetime is)

2 Likes

Thanks for the info!!

I had trouble running the “add” script by @oO.o (may be some posix incompatibility, not sure). It’s also possible the PUK was being converted as “123” rather than 123 - TLDR his script triggered “BAD KEY” for the Admin key several times, so I had to perform the reset dance once.

I then decided not to automated the key-copy process given how simple it is to do it manually, and adds an extra later of caution/intention. I would have liked to get that script working though. I may investigate later as I’ve ordered another set of Yubikeys to setup a separate identity.

1 Like

Also what’s the recommended approach for setting up OTP - i.e. let’s assume you manage to loose key #1.

For every OTP service, do you register all 3x keys or just say Key 1 + 2 (given that key 3 is always in a safe somewhere, and therefore impractical to keep up to date?).

:thinking:

I registered all 3. Define how that is impractical?

1 Like

Again, this is outside my wheelhouse, but the way I see it, and it is not a criticism:

One physically needs all 3 keys to register them? (not necessarily at the same time)

With one key constantly safe, one only has 2 available to register.

One would need to make a list of which services need which extra key added when one cycles the keys through routine cycling.

Or, a list of sites / services to register, and take a laptop to the secure store, and register them all in one go.

I just see that as a housekeeping task?

Or, retrieve the key once every now and then, to register it?

I just see it more as a drift. Like the backup copy of encrypted passphrases. New phrases are added all the time, so routine upkeep is required? not impossible, but something to be aware of, and maintain.

2 Likes