#+TITLE: new-sshagent-work #+DATE: 2024-07-16 * Prologue So I got a YubiKey 5C Nano handed to me. Things kinda got out of hand. * Setup The key is so small that it will just stay in one of my laptop's USB-C ports. I want to use the key for =ssh= authentication. Step one is to disable OTP because I do not want to spill random strings into my tty every time I touch it by accident: #+begin_src shell rcctl -f start pcscd ykman config usb -d OTP rcctl -f stop pcscd #+end_src Next we create an non-resident =ed25519-sk= key. That is the key type used for FIDO keys: #+begin_src shell ssh-keygen -t ed25519-sk #+end_src FIDO keys consist of two parts: a key-handle and a private key. The private key stays on the FIDO token and is combined with the key-handle for signing operations. For a non-resident key the key-handle is stored on disk in the private-key file and is password protected. =/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to add the standard identities to the ssh-agent. I have to touch the token on every use of the =ed25519-sk= key. Assuming the FIDO token works correctly, nobody can steal my private key remotely. Theo de Raadt (deraadt@) pointed out a problem with the key at rest, when I suspend my laptop I want to remove the key from the agent and re-add it at first use on resume. We were puzzling around with this for a bit at =c2k24= but did not make too much progress. * A Triumph in Modern Igoring Back home I remembered an option that I had to use on my macOS work laptop to make the ssh-agent work correctly: =AddKeysToAgent= Having this in =/etc/apm/suspend= removes all keys from my agent on suspend: #+begin_src shell #!/bin/sh for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq" done #+end_src Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then prompts me for the password of the key on first use and adds it to the ssh-agent again. * Epilogue This works, but it should really work out of the box per default. This being OpenBSD, you can rest assured that we are working on it. Stay tuned...