Today's post is about Yubikeys and how I use them with SSH 🙂 #100DaysToOffload https://gabnotes.org/using-your-yubikey-with-ssh-and-achieving-multifactor-authentication
@Crocmagnon Yeah just read your post! I really like the idea of yubikeys, even if a big factor is just owning cool devices. I don't fully understand how it works. You gave the example of plugging it into your colleague's computer. Does it not need pre-authorisation to work on it?
@mcol The key is a cryptographic device. It owns the private parts of your keys and they can never leave it. That's also how your credit card works (if it has a chip). With it, you can do anything you could do with a standard key pair. You just can't view the private key.
@mcol And indeed, since we basically use GPG keys with SSH, you'll need a little configuration on any machine you want to use with your key. It's described in the guide I linked: https://florin.myip.org/blog/easy-multifactor-authentication-ssh-using-yubikey-neo-tokens ("Configure the client system to use the smartcard")
@Crocmagnon Looking at that page it looks more complicated than I had previously thought. Surely any device it is plugged into can read the data stored on it? Or does it act as a its own standalone device (not a storage device) with a standard protocol to talk with clients?
@mcol it doesn’t act like a storage device. When you plug it in, you don’t see a « yubikey » device on which you can drop files. It acts more like a smart card. You can for example use a yubikey to login to you computer. Either as a replacement to your password or as a mandatory second factor.
I don’t know if the protocols they use are standard or proprietary though. I’d say standard but I’m not sure 😊
@Crocmagnon OK, sounds interesting. I'd love it if I can use it for my keepassxc dbus secret service and unlocking my luks hard drive at boot. Perhaps I should look more closely at this...
@mcol Looking forward to hearing from your experience 😉
@Crocmagnon I would be the guy that lost all my keys, 100% guarantee.
@basil haha I thought I’d be that guy too but I attached my daily driver to my keychain so I’m pretty much guaranteed not to forget it anywhere (or I’m in much bigger troubles) 😄
The others are older models that I don’t use daily anymore so I just keep them at home. One of them is registered as a backup key on all of my online services where I set up 2FA with the main key.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.