I’ve been putting off properly systemizing my SSH security life. I want to see what people here use, and what they like/dislike about the options.
I basically want to do this:
Whatever I decide on needs to work with Linux and macOS (my work is 100% Macs, I use Linux at home).
I know the yubikey has a somewhat mixed rep because no more FOSS and there was some issue with them back when all those chips were cryptographically flawed (Estonian ID cards? something like that…).
Hmmm…
Let’s see, there aren’t really any direct alternatives I know of, but Krypton, what Wendell made a video about this week on L1L, might be a good alternative. Give it a look.
If you have a yubikey theres no real issues with it, they meet all the usual requirements, and on linux pretty much “just work”
Yeah Yubikeys work pretty good. I can’t say for reasons but I know for a fact that a huge e-commerce company uses them because they work fine AND get you some comliance clearence and such.
If you have one, use it, it’s fine.
Yubikey is pretty much bulletproof if you don’t let them laying around. I use it for years and own 10 or so.
And I use groups of them for various use. I also try to keep it up to date, so when a new gen is coming out I replace my whole stack in general.
You can really use them in confidence as you can do for password manager, you just need to apply same kind of security that’s all. You can use them for ssh, for web services, for auth with Mac, Windows ( more or less), and Linux like qubes os . There is no alternatives at the moment, and I think it’s simply because the technology is copyrighted but I could be wrong.
I was a bit afraid at first because it’s basically Java applets burned into the keys but we tried to hack it and didn’t succeed yet. And yes we are also using it at work so…
if ever some web services recognized for their privacy as mailbox.org or others will change their point of view on it, i will reconsider it but for now it’s pretty much what everybody should use to protect their password manager, web services account or things like that.
And also if you have whatever questions or angst about something, their customer support at yubico is amazing.
Thanks for the feedback everyone! I think I have 2 lingering questions about the Yubikey.
4.4.3. Supported Smart Cards
The following smart cards and readers are supported on Red Hat Enterprise Linux.
Smart CardsAthena ASECard Crypto smart, pkcs15-unit
ATOS (Siemens) CardOS 5.0
Gemalto ID Classic 230 / TOP IM CY2 64kv2
Gemalto Cyberflex Access 64k V2c
Gemalto GemPCKey USB form factor key
Giesecke & Devrient (G&D) SmartCafe Expert 6.0 (SCP03)
Giesecke & Devrient (G&D) SmartCafe Expert 7.0 (SCP03)
Safenet 330J
Safenet SC650 (SCP01)
Siemens Card CardOS M4.4
Yubikey 4
ReadersHP Keyboard KUS1206 with built in Smart Card reader
Omnikey 3121 reader
Omnikey 3121 with PID 0x3022 reader
Reiner SCT cyberJack RFID komfort reader
SCR331 CCID reader
Well that is precisely what you want to happen if you dont have means to authenticate yourself: you dont have access.
Take one Yubikey and use it to auth. all the other master-yubis for groups and the group-yubis for each user in the groups.
If you need to validate a user, no problem, use the group one.
if everything goes south: use the master key, but keep that one locked up somewhere safe, so there is no chance of losing it.
What you’re describing makes sense abstractly, but I don’t understand how it would be implemented (possibly because I don’t fully understand how the yubikey works).
Say I use the yubikey for my ssh keys. I have a master key in a vault somewhere. How do I keep the master up to date? Do I need to take it out every time I add/change credentials?
For the group hierarchy you’re describing, are you thinking of an AD directory structure? In what context can you authenticate a user through a credential applied to an entire group?
Also, for cloud services like G Suite, how does this translate?
Also I ordered a FIPS yubikey to experiment with.
Well, I didn’t described it as well as someone who actually knows that stuff could.
The Basic idea is kinda like this:
1x Recovery Key = Full Access to “root”
1x Root Key = Root Key
Nx Group Key = Previliged to what they need
That doesn’t say anything at all, what you consider your way of implementing a secure (enough) environment of handling ssh keys and such.
So, I kinda wanna say that I’m not really that familiar with this. But there is the distinction between how you make your shit secure and what you do to make your shit secure.
There are a lot of really good and sturdy concepts for how to make your stuff secure and practical. Because if it’s not practical… stuff won’t be used, all the work for nothing.
They use U2F, multiple keys can be attached to an account, you keep a backup, or keep backup codes, or both.
If using AD you might consider certificates on the yubikey for authentication, these work well and are easy to set up and manage.
edit: multiple certs can be attached to the key as well which is nice
This is why I’m so damn tempted to get my hands on a yubikey, if only to play with it.
Actually, dammit, I’m gonna have to buy one…
Let me know when you get it and we can compare notes.
I have followed these instructions and now have 2, mostly functional FIPS YubiKeys.
They will both log me into my Macbook Air with a PIN that I setup, so that’s all good.
I am having trouble getting them both working for GPG though. I keytocard'd the GPG keys to both Yubikeys successfully, but it only trusts the first Yubi that I set up.
I looked around for how to deal with this, but I didn’t get a clear answer. I did find this thread with a guy talking to himself about it, but I didn’t get a clear solution.
This is the error I get when I try to use any of the GPG keys on the second yubi.
Once I get that sorted out, I’ll work on setting it up on my main Linux workstation.