Making the most out of my YubiKey (SSH)

Since about 2020 I’ve been happily using a pair of YubiKey 5C NFCs. It’s a nice security addition to have FIDO2 on some websites (unfortunately, some websites still don’t provide proper support).

In the meantime, I discovered that OpenSSH 8.2 introduced FIDO/U2F support. This basically means that you can now store your SSH private key inside your YubiKey (called resident key) and authenticate with it.

⚠️ The private key can’t be extracted from your YubiKey. Meaning that you can’t share the same key with another device.

OK, with that in mind, let’s see how this all works. The process is really simple and shouldn’t take much time to finish.

🗒️ This is supposed to work with YubiKeys, your experience may be different with other FIDO keys.

Change your PIN

This is an important step, you should probably setup a PIN before anything. You can easily install the YubiKey Manager tool with Nix by running:

$ nix shell nixpkgs#yubikey-manager

Generate SSH Key

Considering that your YubiKey is still plugged, run the command below to create your private key and public key. Before you run it, you should consider two things first:

Now that you thought about the previous points, you can run the command. 😜

$ ssh-keygen -t ed25519-sk -O resident

This will guide you through a regular SSH key generation where you can set where the public key will be saved and the private key’s password. After this step, you should have your public key on disk and you can add it to your OpenSSH authentication agent with:

$ ssh-add -K
# list your keys
$ ssh-add -L

Articles from blogs I follow around the net

The four tenets of SOA revisited

Twenty years after. In the January 2004 issue of MSDN Magazine you can find an article by Don Box titled A Guide to Developing and Running Connected Systems with Indigo. Buried within the (now dated) discussion of the technology…

via ploeh blog March 4, 2024

Building a demo of the Bleichenbacher RSA attack in Rust

Recently while reading Real-World Cryptography, I got nerd sniped1 by the mention of Bleichenbacher's attack on RSA. This is cool, how does it work? I had to understand, and to understand something, I usually have to build it. Well, friends, that is what…

via blog March 4, 2024

How to unbreak Dolphin on SteamOS after the QT6 update

A recent update to Dolphin made it switch to QT6. This makes it crash with this error or something like it: dolphin-emu: symbol lookup error: dolphin-emu: undefined symbol: _Zls6QDebugRK11QDockWidget, version Qt_6 This is fix…

via Xe Iaso's blog March 3, 2024

Generated by openring