Sorry - by “impractical” I meant, assuming you store the Cold spare 100 miles away and signup for a new service (and worse, potentially forget to update the Cold spare).
I suppose the obvious answer is you have to keep the cold spare up to date - for the above mentioned situation (and sanity purposes too?) heh.
This was the behavior I had on openbsd. In macOS, the PUK was cached after an initial command but that happened intermittently on openbsd. I couldn’t figure it out… might just be quirks between platforms.
It is and I periodically once every 6 months make sure its all audited and up to date but thats easy. Its going to one of my parents properties. I rarely register a new service infact I havent in 2 years. This coupled with the fact I made my own cloud, cloud office sweet, gpg keys on my stuff. I don’t actually need to update it
Worst case I need 2fa on a new service well I have my bitwarden protected by the yubikey and can just use its authenticator
Its a good idea in general. So you don’t forget where stuff is registered
when I try to do ssh-add .. I recall being asked for a passphrase. Then when I set about to push or pull code (since it’s using the keys SSH id) it’ll then ask for my GPG pass (not the admin one). I only have 3-attempts till that GPG-pass locks out.
If I’ve forgotten, I make sure to hit escape till I can refer it up in my cloud password store.
Just wanted to publicly say THANK YOU to @PhaseLockedLoop for what is probably the best writeup on the internet right now of how to manage Yubikeys and for giving me a hand with setting them up.
Appreciate it. Im going to expand it and make it even better. It might be at the cost of reloading my keys with my key but I want to enable a few things like PDKF storing of the pins etc
Excellent guide - as mentioned above this is the best yubikey setup guide i’ve seen.
One suggestion though - not everyone who wants to use these for things like SSH, etc. is familiar with key servers, GPG, U2F, FIDO, etc, etc. There’s a big barrier to entry right there.
I’m not sure how, as this shit is complicated - but it would be amazing to have both
a guide to what the different standards for auth are and where you can use them - i.e., the “why” of what we’re setting up
some scripts that make sensible default choices to help the less technical users get up and running.
e.g., maybe even have the same script run in either “easy mode” (sensible default choices for anything not personally identifying) or “advanced mode” where all the choices are presented
Getting user buy in to key based security always gets hobbled by the complexity and lack of understanding of all but the most technical of IT/security personnel.
We need to get this sort of thing actually used by most people, not a select few - and hopefully then the software support and general documentation will get better.
It would be amazing if eventually, linux had support for setting up key based auth as part of the installer, but we’re way, way far off from that.
A lot of that is something yubico should be doing. @ucav117 and I had a fireside chat about this. Great hardware company. Absolutely shitty software company.
If I made a script… I seriously would need help testing it. Constantly erasing my own key wouldn’t be enough
Agreed. The yubico docs are complete from the perspective of someone who already knows what they’re doing but as far as being end user friendly goes… nope.
I have a few test keys and a test Linux/whatever box. Just free time is scarce.
I can start formulating something after a couple of my projects here are finished. It unfortunately is also low on my priority list because I know what I’m doing but if I see a growing demand for it. I’ll start making one.
I just tested positive for covid (its 8am here, tested 2 hours ago). First time!
4x vac, sore throat only at this stage. Isolating at home so maybe i do have some time to run through this, etc. Will see how i feel over the next few days.
Yeah, i’ve been doing the things for the past 2 years, been exposed directly at least 4 times (in same car, no mask, at lunch with positive people, same small office as positive people, etc.).
But cheers!
I’ve got two spare keys here (a 5ci and a 5 NFC) that are literally purchased through work as test keys - and a fresh install of PopOS on the spare box next to my desk.
I’ve also got win11 and macOS so if i have the time i can test on 3 platforms.
I do have reasonable scripting skills, just now need the motivation