Hardware Tokens¶
My desk currently looks like a Yubikey graveyard. I need to figure out which ones do what, and which ones are worth keeping. Some of them are way too old to be useful.
Using a hardware token with OpenSSH 8.2+¶
The documentation isn’t simple enough for me. It’s written as it should be (product agnostic), but I need something simpler. So, writing these directions for me.
Yubikey features¶
These are the features of the yubikeys on my desk.
version |
firmware |
OTP |
FIDO2 |
PIV |
notes |
|---|---|---|---|---|---|
nano |
2.3.0 |
yes |
no |
no |
:( |
v5 nfc |
5.2.4 |
yes |
yes |
yes |
have 2 |
wired mag |
4.3.7 |
yes |
no |
yes |
|
unknown |
2.3.1 |
yes |
no |
no |
|
unknown |
2.1.1 |
yes |
no |
no |
|
unknown |
2.0.2 |
yes |
no |
no |
Yubikey 5 NFC¶
I used the Yubikey Manager to change the FIDO2 pin. I ran it in Windows 10 with administrator privs (won’t be able to access fido without them).
Once the pin was set I was able to use ssh-keygen to create an ed25519-sk key with the resident option.
$ ssh-keygen -t ed25519-sk -O resident
The resident option keeps a “key handle” on the device, while it is normally stored in a private key on the filesystem. More information can be found in the 8.2 release notes under the “FIDO2 resident keys” heading.
It should prompt for the pin, and then the Y will flash for confirmation of presense. It may prompt to be touched, it may not. The flashing Y is a sign to touch it.
As usual the public key should be added to the user’s ~/.ssh/authorized_keys.
To use the resident key, use ssh-add to add it to ssh-agent. It will prompt for the pin.
$ ssh-add -K
Using that key to connect to a system will require a touch (look for the flashing Y).
Solo Key¶
Using firmware 4.0.0 the solokey just worked. Not sure what version I had triedpreviously
Solo Key works with FIDO2, but only with ecdsa-sk keys. RIP ed25519.
Used Windows Sign-In Options to change the pin since the python program doesn’t work on OpenBSD.
Solo2 Key¶
My solo2 key is using ed25519.