1. 29

  2. 2

    It’s extremely handy to have a ssh auth key in your pocket. I use a similar setup that amazingly works on Mac, Windows, Linux and OpenBSD (using GPG and a combo of pcscd / opensc).

    As an alternative to Yubikey, checkout Nigrokey. The form factor isn’t as convenient, but they get the job done!

    1. 4

      oh man.. colemak noob typo - NitroKey

      1. 2


        That typo sounds racist. I’m glad it’s not the real product’s name.

        1. 2

          Somewhat beside the point but I think that’s literally Italian for “black” (also Nigro seems to be an actual surname).

        2. 1

          Can you use the built-in openssh auth key stuff alongside gpg-agent for the other key types?

          1. 1

            Not sure. I don’t use them outside of gpg.

          2. 1

            The Nitrokey is really nice (I have two). They run the open source gnuk firmware, which can also run on many STM32 F103 boards. E.g., some people run gnuk on $2 Blue Pill boards.


          3. 2

            This is a good idea. There’s also an alternative implementation that will present an ssh-agent compatible agent that speaks to a smart card or Yubikey: https://github.com/arekinath/piv-agent

            1. 1

              Since these are RSA keys, they can also be used for SSH authentication.

              A little bit of clarification: Yubikey has two* separate applets - OpenPGP Card and PIV. Keys stored in slots of these applets are totally separate.

              *: actually more, but for the sake of the argument…

              OpenPGP is used by GnuPG while PIV can be used by SSH but not only SSH. Some OSes (like Windows) have built in support for PIV Smartcards so for example Chrome (that uses system store) can utilize certs stored on Yubikey for TLS Client authentication to sites. Git for Windows also uses system store (through curl’s SChannel) so Yubikey can also be used to store certs used by git for pulling/pushing.

              The real difference between OpenPGP Card and PIV is: OpenPGP can store only 3 keys, PIV can use ECDSA keys and can store more keys (mostly because of extensions by Yubico). PIV also has “enterprise” features, such as key attestation (one can remotely check if a key has been generated on Yubico, not imported).

              1. 1

                Of course this does not consider the additional attack surface created by the components opensc and pcscd.

                While YubiKeys are great, the additional exposure in browsers and SSH currently seems too dangerous and too fragile for most people to use. I hope pledge() and such can help this get integrated better in OpenBSD/OpenSSH.

                1. 1

                  hm… how using pam and OTP paper. Normal paper without token, phone etc.

                  1. 2

                    It can be phished, just like TOTP etc can. The only effective way to prevent phishing is to take the user out of the loop.

                    Although, admittedly, if the service you’re authenticating to is some custom command-line UI you wrote yourself, you’re probably safe from phishing unless you’re an extremely high-value target to somebody. The moment you start writing a blog post and encouraging other people to use your solution, though, it stops being obscure in that way.

                    1. 2

                      No pam on OpenBSD.