Sorry - by “impractical” I meant, assuming you store the Cold spare 100 miles away and signup for a new service (and worse, potentially forget to update the Cold spare).
I suppose the obvious answer is you have to keep the cold spare up to date - for the above mentioned situation (and sanity purposes too?) heh.
Right, this was exactly my point. Great idea, I’m going to maintain that list too.
It is still worth it.
Just something to be aware of.
Like I said, same for offsite storing passphrase drives
This was the behavior I had on openbsd. In macOS, the PUK was cached after an initial command but that happened intermittently on openbsd. I couldn’t figure it out… might just be quirks between platforms.
I should add better comments in the script…
It is and I periodically once every 6 months make sure its all audited and up to date but thats easy. Its going to one of my parents properties. I rarely register a new service infact I havent in 2 years. This coupled with the fact I made my own cloud, cloud office sweet, gpg keys on my stuff. I don’t actually need to update it
Worst case I need 2fa on a new service well I have my bitwarden protected by the yubikey and can just use its authenticator 
Its a good idea in general. So you don’t forget where stuff is registered
@here
I forgot to mention you need to add the ssh key for each yubikey because the gpg agent stores the serial
In order to use each backup yubikey you need to ensure all serials are accepted when the gpg agent looks for it
I originally presumed this was obvious however some folks on discord brought up that it wasnt
Also every time you change keys you must run
gpg-connect-agent "scd serialno" "learn --force" /bye
when I try to do ssh-add .. I recall being asked for a passphrase. Then when I set about to push or pull code (since it’s using the keys SSH id) it’ll then ask for my GPG pass (not the admin one). I only have 3-attempts till that GPG-pass locks out.
If I’ve forgotten, I make sure to hit escape till I can refer it up in my cloud password store.
gpg trust level when re-importing keys.
gpg fetch when setting up gpg for ssh.
unplugging and re-plugging in the yubikey after almost every step lol.
Ill get that added in.
very sorry about that. I should have included the alternate way to obtain the keys before you have to run key grips
that and I think yall want a good way to kill that agents
killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)
Just wanted to publicly say THANK YOU to @PhaseLockedLoop for what is probably the best writeup on the internet right now of how to manage Yubikeys and for giving me a hand with setting them up.
Appreciate it. Im going to expand it and make it even better. It might be at the cost of reloading my keys with my key but I want to enable a few things like PDKF storing of the pins etc
Excellent guide - as mentioned above this is the best yubikey setup guide i’ve seen.
One suggestion though - not everyone who wants to use these for things like SSH, etc. is familiar with key servers, GPG, U2F, FIDO, etc, etc. There’s a big barrier to entry right there.
I’m not sure how, as this shit is complicated - but it would be amazing to have both
e.g., maybe even have the same script run in either “easy mode” (sensible default choices for anything not personally identifying) or “advanced mode” where all the choices are presented
Getting user buy in to key based security always gets hobbled by the complexity and lack of understanding of all but the most technical of IT/security personnel.
We need to get this sort of thing actually used by most people, not a select few - and hopefully then the software support and general documentation will get better.
It would be amazing if eventually, linux had support for setting up key based auth as part of the installer, but we’re way, way far off from that.
But again, thanks so much for this!
A lot of that is something yubico should be doing. @ucav117 and I had a fireside chat about this. Great hardware company. Absolutely shitty software company.
If I made a script… I seriously would need help testing it. Constantly erasing my own key wouldn’t be enough
Agreed. The yubico docs are complete from the perspective of someone who already knows what they’re doing but as far as being end user friendly goes… nope.
I have a few test keys and a test Linux/whatever box. Just free time is scarce.
I can start formulating something after a couple of my projects here are finished. It unfortunately is also low on my priority list because I know what I’m doing but if I see a growing demand for it. I’ll start making one.
So, about that no time.
I just tested positive for covid (its 8am here, tested 2 hours ago). First time!
4x vac, sore throat only at this stage. Isolating at home so maybe i do have some time to run through this, etc. Will see how i feel over the next few days.
well get well soon. Im a NOvid so apparently I’m not bothered by the virus in any significant manner.
Ill take a look at the project when Im done learning power query
Yeah, i’ve been doing the things for the past 2 years, been exposed directly at least 4 times (in same car, no mask, at lunch with positive people, same small office as positive people, etc.).
But cheers!
I’ve got two spare keys here (a 5ci and a 5 NFC) that are literally purchased through work as test keys - and a fresh install of PopOS on the spare box next to my desk.
I’ve also got win11 and macOS so if i have the time i can test on 3 platforms.
I do have reasonable scripting skills, just now need the motivation 