I’ve been putting off properly systemizing my SSH security life. I want to see what people here use, and what they like/dislike about the options.
I basically want to do this:
Whatever I decide on needs to work with Linux and macOS (my work is 100% Macs, I use Linux at home).
I know the yubikey has a somewhat mixed rep because no more FOSS and there was some issue with them back when all those chips were cryptographically flawed (Estonian ID cards? something like that…).
Let’s see, there aren’t really any direct alternatives I know of, but Krypton, what Wendell made a video about this week on L1L, might be a good alternative. Give it a look.
Yeah Yubikeys work pretty good. I can’t say for reasons but I know for a fact that a huge e-commerce company uses them because they work fine AND get you some comliance clearence and such.
Yubikey is pretty much bulletproof if you don’t let them laying around. I use it for years and own 10 or so.
And I use groups of them for various use. I also try to keep it up to date, so when a new gen is coming out I replace my whole stack in general.
You can really use them in confidence as you can do for password manager, you just need to apply same kind of security that’s all. You can use them for ssh, for web services, for auth with Mac, Windows ( more or less), and Linux like qubes os . There is no alternatives at the moment, and I think it’s simply because the technology is copyrighted but I could be wrong.
I was a bit afraid at first because it’s basically Java applets burned into the keys but we tried to hack it and didn’t succeed yet. And yes we are also using it at work so…
if ever some web services recognized for their privacy as mailbox.org or others will change their point of view on it, i will reconsider it but for now it’s pretty much what everybody should use to protect their password manager, web services account or things like that.
And also if you have whatever questions or angst about something, their customer support at yubico is amazing.
Thanks for the feedback everyone! I think I have 2 lingering questions about the Yubikey.
What the hell are all of these other “smart cards”? I get the impression that they aren’t as multi-functional as yubi, but I don’t fully understand the difference in context.
4.4.3. Supported Smart Cards
The following smart cards and readers are supported on Red Hat Enterprise Linux.
Smart Cards
HP Keyboard KUS1206 with built in Smart Card reader
Omnikey 3121 reader
Omnikey 3121 with PID 0x3022 reader
Reiner SCT cyberJack RFID komfort reader
SCR331 CCID reader
What happens when I lose/break it? I feel like I either have to leave myself a back door or risk being locked out of everything. Either case negates the usefulness of the Yubikey (unless you can afford to burn everything down and build it back up if it breaks).
What you’re describing makes sense abstractly, but I don’t understand how it would be implemented (possibly because I don’t fully understand how the yubikey works).
Say I use the yubikey for my ssh keys. I have a master key in a vault somewhere. How do I keep the master up to date? Do I need to take it out every time I add/change credentials?
For the group hierarchy you’re describing, are you thinking of an AD directory structure? In what context can you authenticate a user through a credential applied to an entire group?
Also, for cloud services like G Suite, how does this translate?
Well, I didn’t described it as well as someone who actually knows that stuff could.
The Basic idea is kinda like this:
1x Recovery Key = Full Access to “root”
1x Root Key = Root Key
Nx Group Key = Previliged to what they need
That doesn’t say anything at all, what you consider your way of implementing a secure (enough) environment of handling ssh keys and such.
So, I kinda wanna say that I’m not really that familiar with this. But there is the distinction between how you make your shit secure and what you do to make your shit secure.
There are a lot of really good and sturdy concepts for how to make your stuff secure and practical. Because if it’s not practical… stuff won’t be used, all the work for nothing.
I have followed these instructions and now have 2, mostly functional FIPS YubiKeys.
They will both log me into my Macbook Air with a PIN that I setup, so that’s all good.
I am having trouble getting them both working for GPG though. I keytocard'd the GPG keys to both Yubikeys successfully, but it only trusts the first Yubi that I set up.
I looked around for how to deal with this, but I didn’t get a clear answer. I did find this thread with a guy talking to himself about it, but I didn’t get a clear solution.
This is the error I get when I try to use any of the GPG keys on the second yubi.
Once I get that sorted out, I’ll work on setting it up on my main Linux workstation.