new-sshagent-work
This commit is contained in:
Florian Obser
parent
a3adcb130f
commit
db0cdd31cf
@ -7,6 +7,7 @@
|
||||
+ [[https://www.linkedin.com/in/florian-obser-75900383][Linkedin]]
|
||||
|
||||
* Meditations
|
||||
- [[file:new-sshagent-work.org][2024-07-16: new-sshagent-work]]
|
||||
- [[file:dhcpv6-pd-first-steps.org][2024-05-29: DHCPv6-PD - First steps]]
|
||||
- [[file:SingleFile.org][2024-03-20: SingleFile]]
|
||||
- [[file:openttd-srnw.org][2024-01-13: OpenTTD Self Regulating Networks]]
|
||||
|
||||
64
new-sshagent-work.org
Normal file
64
new-sshagent-work.org
Normal file
@ -0,0 +1,64 @@
|
||||
#+TITLE: new-sshagent-work
|
||||
#+DATE: 2024-07-16
|
||||
* Prologue
|
||||
So I got a YubiKey 5C Nano handed to me.
|
||||
Things kinda got out of hand.
|
||||
|
||||
* Setup
|
||||
The key is so small that it will just stay in one of my laptop's USB-C
|
||||
ports.
|
||||
I want to use the key for =ssh= authentication.
|
||||
Step one is to disable OTP because I do not want to spill random
|
||||
strings into my tty every time I touch it by accident:
|
||||
#+begin_src shell
|
||||
rcctl -f start pcscd
|
||||
ykman config usb -d OTP
|
||||
rcctl -f stop pcscd
|
||||
#+end_src
|
||||
Next we create an non-resident =ed25519-sk= key.
|
||||
That is the key type used for FIDO keys:
|
||||
#+begin_src shell
|
||||
ssh-keygen -t ed25519-sk
|
||||
#+end_src
|
||||
FIDO keys consist of two parts: a key-handle and a private key.
|
||||
The private key stays on the FIDO token and is combined with the
|
||||
key-handle for signing operations.
|
||||
For a non-resident key the key-handle is stored on disk in the
|
||||
private-key file and is password protected.
|
||||
|
||||
=/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to
|
||||
add the standard identities to the ssh-agent.
|
||||
|
||||
I have to touch the token on every use of the =ed25519-sk= key.
|
||||
|
||||
Assuming the FIDO token works correctly, nobody can steal my private
|
||||
key remotely.
|
||||
|
||||
Theo de Raadt (deraadt@) pointed out a problem with the key at rest,
|
||||
when I suspend my laptop I want to remove the key from the agent and
|
||||
re-add it at first use on resume.
|
||||
We were puzzling around with this for a bit at =c2k24= but did not
|
||||
make too much progress.
|
||||
|
||||
* A Triumph in Modern Igoring
|
||||
Back home I remembered an option that I had to use on my macOS work
|
||||
laptop to make the ssh-agent work correctly: =AddKeysToAgent=
|
||||
|
||||
Having this in =/etc/apm/suspend= removes all keys from my agent on
|
||||
suspend:
|
||||
#+begin_src shell
|
||||
#!/bin/sh
|
||||
|
||||
for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
|
||||
su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
|
||||
done
|
||||
#+end_src
|
||||
|
||||
Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then
|
||||
prompts me for the password of the key on first use and adds it to the
|
||||
ssh-agent again.
|
||||
|
||||
* Epilogue
|
||||
This works, but it should really work out of the box per default.
|
||||
This being OpenBSD, you can rest assured that we are working on it.
|
||||
Stay tuned...
|
||||
Loading…
Reference in New Issue
Block a user