From db0cdd31cfa5a4f28803f46c0903a9807a3f192c Mon Sep 17 00:00:00 2001
From: Florian Obser <fobser@ripe.net>
Date: Tue, 16 Jul 2024 18:39:03 +0200
Subject: [PATCH] new-sshagent-work

---
 index.org             |  1 +
 new-sshagent-work.org | 64 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 new-sshagent-work.org

diff --git a/index.org b/index.org
index 5655a41..e7f0e56 100644
--- a/index.org
+++ b/index.org
@@ -7,6 +7,7 @@
 + [[https://www.linkedin.com/in/florian-obser-75900383][Linkedin]]
 
 * Meditations
+- [[file:new-sshagent-work.org][2024-07-16: new-sshagent-work]]
 - [[file:dhcpv6-pd-first-steps.org][2024-05-29: DHCPv6-PD - First steps]]
 - [[file:SingleFile.org][2024-03-20: SingleFile]]
 - [[file:openttd-srnw.org][2024-01-13: OpenTTD Self Regulating Networks]]
diff --git a/new-sshagent-work.org b/new-sshagent-work.org
new file mode 100644
index 0000000..083ad65
--- /dev/null
+++ b/new-sshagent-work.org
@@ -0,0 +1,64 @@
+#+TITLE: new-sshagent-work
+#+DATE: 2024-07-16
+* Prologue
+So I got a YubiKey 5C Nano handed to me.
+Things kinda got out of hand.
+
+* Setup
+The key is so small that it will just stay in one of my laptop's USB-C
+ports.
+I want to use the key for =ssh= authentication.
+Step one is to disable OTP because I do not want to spill random
+strings into my tty every time I touch it by accident:
+#+begin_src shell
+  rcctl -f start pcscd
+  ykman config usb -d OTP
+  rcctl -f stop pcscd
+#+end_src
+Next we create an non-resident =ed25519-sk= key.
+That is the key type used for FIDO keys:
+#+begin_src shell
+  ssh-keygen -t ed25519-sk
+#+end_src
+FIDO keys consist of two parts: a key-handle and a private key.
+The private key stays on the FIDO token and is combined with the
+key-handle for signing operations.
+For a non-resident key the key-handle is stored on disk in the
+private-key file and is password protected.
+
+=/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to
+add the standard identities to the ssh-agent.
+
+I have to touch the token on every use of the =ed25519-sk= key.
+
+Assuming the FIDO token works correctly, nobody can steal my private
+key remotely.
+
+Theo de Raadt (deraadt@) pointed out a problem with the key at rest,
+when I suspend my laptop I want to remove the key from the agent and
+re-add it at first use on resume.
+We were puzzling around with this for a bit at =c2k24= but did not
+make too much progress.
+
+* A Triumph in Modern Igoring
+Back home I remembered an option that I had to use on my macOS work
+laptop to make the ssh-agent work correctly: =AddKeysToAgent=
+
+Having this in =/etc/apm/suspend= removes all keys from my agent on
+suspend:
+#+begin_src shell
+  #!/bin/sh
+
+  for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
+          su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
+  done
+#+end_src
+
+Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then
+prompts me for the password of the key on first use and adds it to the
+ssh-agent again.
+
+* Epilogue
+This works, but it should really work out of the box per default.
+This being OpenBSD, you can rest assured that we are working on it.
+Stay tuned...