new-sshagent-work

This commit is contained in:
Florian Obser 2024-07-16 18:39:03 +02:00
parent a3adcb130f
commit db0cdd31cf
2 changed files with 65 additions and 0 deletions

View File

@ -7,6 +7,7 @@
+ [[https://www.linkedin.com/in/florian-obser-75900383][Linkedin]] + [[https://www.linkedin.com/in/florian-obser-75900383][Linkedin]]
* Meditations * Meditations
- [[file:new-sshagent-work.org][2024-07-16: new-sshagent-work]]
- [[file:dhcpv6-pd-first-steps.org][2024-05-29: DHCPv6-PD - First steps]] - [[file:dhcpv6-pd-first-steps.org][2024-05-29: DHCPv6-PD - First steps]]
- [[file:SingleFile.org][2024-03-20: SingleFile]] - [[file:SingleFile.org][2024-03-20: SingleFile]]
- [[file:openttd-srnw.org][2024-01-13: OpenTTD Self Regulating Networks]] - [[file:openttd-srnw.org][2024-01-13: OpenTTD Self Regulating Networks]]

64
new-sshagent-work.org Normal file
View File

@ -0,0 +1,64 @@
#+TITLE: new-sshagent-work
#+DATE: 2024-07-16
* Prologue
So I got a YubiKey 5C Nano handed to me.
Things kinda got out of hand.
* Setup
The key is so small that it will just stay in one of my laptop's USB-C
ports.
I want to use the key for =ssh= authentication.
Step one is to disable OTP because I do not want to spill random
strings into my tty every time I touch it by accident:
#+begin_src shell
rcctl -f start pcscd
ykman config usb -d OTP
rcctl -f stop pcscd
#+end_src
Next we create an non-resident =ed25519-sk= key.
That is the key type used for FIDO keys:
#+begin_src shell
ssh-keygen -t ed25519-sk
#+end_src
FIDO keys consist of two parts: a key-handle and a private key.
The private key stays on the FIDO token and is combined with the
key-handle for signing operations.
For a non-resident key the key-handle is stored on disk in the
private-key file and is password protected.
=/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to
add the standard identities to the ssh-agent.
I have to touch the token on every use of the =ed25519-sk= key.
Assuming the FIDO token works correctly, nobody can steal my private
key remotely.
Theo de Raadt (deraadt@) pointed out a problem with the key at rest,
when I suspend my laptop I want to remove the key from the agent and
re-add it at first use on resume.
We were puzzling around with this for a bit at =c2k24= but did not
make too much progress.
* A Triumph in Modern Igoring
Back home I remembered an option that I had to use on my macOS work
laptop to make the ssh-agent work correctly: =AddKeysToAgent=
Having this in =/etc/apm/suspend= removes all keys from my agent on
suspend:
#+begin_src shell
#!/bin/sh
for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
done
#+end_src
Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then
prompts me for the password of the key on first use and adds it to the
ssh-agent again.
* Epilogue
This works, but it should really work out of the box per default.
This being OpenBSD, you can rest assured that we are working on it.
Stay tuned...