florian/tlakh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8c81824984
tlakh/new-sshagent-work.org
Florian Obser db0cdd31cf new-sshagent-work
2024-07-16 18:39:03 +02:00

65 lines
2.2 KiB
Org Mode
Raw Blame History

#+TITLE: new-sshagent-work
#+DATE: 2024-07-16
* Prologue
So I got a YubiKey 5C Nano handed to me.
Things kinda got out of hand.
* Setup
The key is so small that it will just stay in one of my laptop's USB-C
ports.
I want to use the key for =ssh= authentication.
Step one is to disable OTP because I do not want to spill random
strings into my tty every time I touch it by accident:
#+begin_src shell
rcctl -f start pcscd
ykman config usb -d OTP
rcctl -f stop pcscd
#+end_src
Next we create an non-resident =ed25519-sk= key.
That is the key type used for FIDO keys:
#+begin_src shell
ssh-keygen -t ed25519-sk
#+end_src
FIDO keys consist of two parts: a key-handle and a private key.
The private key stays on the FIDO token and is combined with the
key-handle for signing operations.
For a non-resident key the key-handle is stored on disk in the
private-key file and is password protected.
=/etc/X11/xenodm/Xsession= starts [[http://man.openbsd.org/ssh-agent][ssh-agent(1)]] and calls [[http://man.openbsd.org/ssh-add][ssh-add(1)]] to
add the standard identities to the ssh-agent.
I have to touch the token on every use of the =ed25519-sk= key.
Assuming the FIDO token works correctly, nobody can steal my private
key remotely.
Theo de Raadt (deraadt@) pointed out a problem with the key at rest,
when I suspend my laptop I want to remove the key from the agent and
re-add it at first use on resume.
We were puzzling around with this for a bit at =c2k24= but did not
make too much progress.
* A Triumph in Modern Igoring
Back home I remembered an option that I had to use on my macOS work
laptop to make the ssh-agent work correctly: =AddKeysToAgent=
Having this in =/etc/apm/suspend= removes all keys from my agent on
suspend:
#+begin_src shell
#!/bin/sh
for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
done
#+end_src
Adding =AddKeysToAgent yes= as first line to =~/.ssh/config= then
prompts me for the password of the key on first use and adds it to the
ssh-agent again.
* Epilogue
This works, but it should really work out of the box per default.
This being OpenBSD, you can rest assured that we are working on it.
Stay tuned...
Reference in New Issue View Git Blame Copy Permalink