From db0cdd31cfa5a4f28803f46c0903a9807a3f192c Mon Sep 17 00:00:00 2001 From: Florian Obser Date: Tue, 16 Jul 2024 18:39:03 +0200 Subject: [PATCH] new-sshagent-work --- index.org | 1 + new-sshagent-work.org | 64 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 new-sshagent-work.org diff --git a/index.org b/index.org index 5655a41..e7f0e56 100644 --- a/index.org +++ b/index.org @@ -7,6 +7,7 @@ + [[https://www.linkedin.com/in/florian-obser-75900383][Linkedin]] * Meditations +- [[file:new-sshagent-work.org][2024-07-16: new-sshagent-work]] - [[file:dhcpv6-pd-first-steps.org][2024-05-29: DHCPv6-PD - First steps]] - [[file:SingleFile.org][2024-03-20: SingleFile]] - [[file:openttd-srnw.org][2024-01-13: OpenTTD Self Regulating Networks]] diff --git a/new-sshagent-work.org b/new-sshagent-work.org new file mode 100644 index 0000000..083ad65 --- /dev/null +++ b/new-sshagent-work.org @@ -0,0 +1,64 @@ +#+TITLE: new-sshagent-work +#+DATE: 2024-07-16 +* Prologue +So I got a YubiKey 5C Nano handed to me. +Things kinda got out of hand. + +* Setup +The key is so small that it will just stay in one of my laptop's USB-C +ports. +I want to use the key for =ssh= authentication. +Step one is to disable OTP because I do not want to spill random +strings into my tty every time I touch it by accident: +#+begin_src shell + rcctl -f start pcscd + ykman config usb -d OTP + rcctl -f stop pcscd +#+end_src +Next we create an non-resident =ed25519-sk= key. +That is the key type used for FIDO keys: +#+begin_src shell + ssh-keygen -t ed25519-sk +#+end_src +FIDO keys consist of two parts: a key-handle and a private key. +The private key stays on the FIDO token and is combined with the +key-handle for signing operations. +For a non-resident key the key-handle is stored on disk in the +private-key file and is password protected. + +=/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to +add the standard identities to the ssh-agent. + +I have to touch the token on every use of the =ed25519-sk= key. + +Assuming the FIDO token works correctly, nobody can steal my private +key remotely. + +Theo de Raadt (deraadt@) pointed out a problem with the key at rest, +when I suspend my laptop I want to remove the key from the agent and +re-add it at first use on resume. +We were puzzling around with this for a bit at =c2k24= but did not +make too much progress. + +* A Triumph in Modern Igoring +Back home I remembered an option that I had to use on my macOS work +laptop to make the ssh-agent work correctly: =AddKeysToAgent= + +Having this in =/etc/apm/suspend= removes all keys from my agent on +suspend: +#+begin_src shell + #!/bin/sh + + for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do + su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq" + done +#+end_src + +Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then +prompts me for the password of the key on first use and adds it to the +ssh-agent again. + +* Epilogue +This works, but it should really work out of the box per default. +This being OpenBSD, you can rest assured that we are working on it. +Stay tuned...