GPG/SSH with the YubiKey 5

Yubico just announced the new YubiKey 5 and of course I needed to buy one! This gave me a great opportunity to update my somewhat popular GPG/SSH with YubiKey guide. The YubiKey 5 includes support for: Universal Second Factor (U2F) - FIDO & FIDO 2! (nothing uses FIDO 2 but I had to have it ;) CCID Smart Card: RSA (and now ECC) / OpenPGP NFC (starting to be supported by some iOS apps) This guide walks through: [Read More]

Using GPG with Smart Cards

I use SSH daily (with SSH keys) and would like to use GPG routinely (if only people I conversed with would use it) but key management is always a problem. I don’t like leaving secret keys on my work computer, work laptop, various home computers, etc. To mitigate this problem I used a strong password on each of these keys which makes actually using them annoying. Enter smart cards… Smart cards let you store the private key on a tamper resistant piece of hardware instead of scattered across various computers (where it can be accessed by other users of the machine, malicious software, etc). [Read More]

OpenBSD Yubikey Authentication

OpenBSD includes out-of-the-box support for login via. YubiKey. Yay! OpenBSD doesn’t authenticate against a central server (such as the service offered by Yubico) to verify a YubiKey. This is good because I don’t have to trust a 3rd party with my credentials. Unfortunately, this also means that OpenBSD is tracking the “last-use” token (not centralized) which means that without somehow synchronizing the “last-use” value I can only safely use a YubiKey token on a single machine. [Read More]

OpenBSD Yubikey Authentication with PIN

I think that using the Yubikey for authentication is worthwhile. OpenBSD’s current implementation of login_yubikey.c, however, relies entirely on the one-time password. I think the system would be stronger combining the Yubikey with an additional PIN so that a compromise of the physical security of the token doesn’t compromise the associated account. My work is loosely based off of Remi Locherer’s suggested patch. Where it differs is that I’d like to add an optional additional PIN to the authentication rather than use an existing credential, such as the system password. [Read More]