The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

ssh key storage

Signed-off-by: Xe Iaso <me@christine.website>

Xe Iaso ff64215d a12c957a

+64
+64
blog/yubikey-ssh-key-storage.markdown
··· 1 + --- 2 + title: How to Store an SSH Key on a Yubikey 3 + date: 2022-05-27 4 + series: howto 5 + tags: 6 + - yubikey 7 + - security 8 + --- 9 + 10 + SSH keys suck. They are a file on the disk and you can easily move it to other 11 + machines instead of storing them in hardware where they can't be exfiltrated. 12 + Using a password to encrypt the private key is a viable option, but the UX for 13 + that is hot garbage. It's allegedly the future, so surely we MUST have some way 14 + to make this all better, right? 15 + 16 + <xeblog-conv name="Numa" mood="delet">\>implying there is a way to make anything 17 + security related better</xeblog-conv> 18 + 19 + Luckily, there is actually something we can do for this! As of [OpenSSH 20 + 8.2](https://www.openssh.com/releasenotes.html#8.2) (Feburary 14, 2020) you are 21 + able to store an SSH private key on a yubikey! Here's how to do it. 22 + 23 + <xeblog-conv name="Mara" mood="hacker">This should work on other FIDO keys like 24 + Google's Titan, but we don't have access to one over here and as such haven't 25 + tested it. Your mileage may vary. We are told that it works with the Google 26 + Titan key that is handed out to Go contributors.</xeblog-conv> 27 + 28 + First install `yubikey-manager` (see 29 + [here](https://www.yubico.com/support/download/yubikey-manager/) for more 30 + information, or run `nix-shell -p yubikey-manager` to run it without installing 31 + it on NixOS), plug in your yubikey and run `ykman list`: 32 + 33 + ```console 34 + $ ykman list 35 + YubiKey 5C NFC (5.4.3) [OTP+FIDO+CCID] Serial: 4206942069 36 + ``` 37 + 38 + If you haven't set a PIN for the yubikey yet, follow 39 + [this](https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-access-change-pin-options) 40 + to set a PIN of your choice. Once you do this, you can generate a new SSH key 41 + with the following command: 42 + 43 + ``` 44 + ssh-keygen -t ed25519-sk -O resident 45 + ``` 46 + 47 + <xeblog-conv name="Mara" mood="hacker">If that fails, try `ecdsa-sk` 48 + instead! Some hardware keys may not support storing the key on the key 49 + itself.</xeblog-conv> 50 + 51 + Then enter in a super secret password (such as the Tongues you received as a kid 52 + when you were forced into learning the bible against your will) twice and then 53 + add that key to your agent with `ssh-add -K`. Then you can list your keys with 54 + `ssh-add -L`: 55 + 56 + ```console 57 + $ ssh-add -L 58 + sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= cadey@shachi 59 + ``` 60 + 61 + Then you can copy this public key to GitHub or whatever and authenticate as 62 + normal. The private key is stored on your yubikey directly and you can add it 63 + with `ssh-add -K`. You can delete the ssh key stub at `~/.ssh/id_ed25519_sk` and 64 + then your yubikey will be the only thing holding that key.