One of our engineers, Paddy Steed, wrote a series of articles on how we each use a Yubikey for SSH, UTF 2FA, and access to 1Password on shared machines when we pair-program. The SSH key is generated on the Yubikey, so it never touches your machine's filesystem.
I broke my head recently trying to get this to work recently. The error was in 2 different gpg binaries that ubuntu ships with. Using gpg2 instead of gpg gets it working.
I have this exact setup working with a Yubikey and was a very happy user until I upgraded my mac to HighSierra, it would appear with the new native PIV integration with OSX that the yubikey is hogged by the OS and gpg can't get access to read it as a smart card. Every attempt to read it is greeted with
```
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
```
and the only solution I found was to remove OSX and replace it with linux which is now working again.
I haven't updated to High Sierra, but this would be very worrying. Can other people confirm whether or not a Yubikey is working for gpg on High Sierra?
A few weeks ago I found out about Bloomberg BUnit 4[0] (I was looking at their keyboards and got distracted).
I think we need something similar for consumers (as in, I don't want to end up spending 24k for a terminal just for a BUnit).
Basically it's a device that has a light sensor, a fingerprint reader and a code generator - all used to authenticate the user to Bloomberg services.
The closest I've gotten is using something like Trezor[1] or Ledger S Nano[2] (no fingerprint reader/light sensor - but it's protected via a passcode).
It's just one more level of protection on top of a hardware key (username + password + hardware key (protected by a password))
If someone can confirm that non-RSA (ECC, any curve) keys work with this or any guide, I'd appreciate hearing it. As far as I can tell, ECC silently and inexplicably fails at the ssh step. RSA seems to work fine.
This is Ubuntu 16.04, which comes with GnuPG 2.1.11.
No. You need a token running an OpenPGP Card 3.0+ applet for ECC. The Yubikey, while capable of doing ECC in other applets (like the PIV applet) only implements OpenPGP Card 2.1 (maybe 2.2?).
As for the PIV portion: Unfortunately, PIV will not work either. Right now, OpenSSH’s ssh-agent doesn’t have the ability to handle EDSA keys when using PKCS#11 (which is how the agent communicates with the “card”.
Has anyone used Yubikeys in conjunction with Ansible for deploying and maintaining cloud-based server fleets? I'd love some tips on handling the authentication; we'e had a brief foray into the matter, but never found a wholly ideal solution.
Could someone point a broader, general introduction to this topic? I often would like to adopt this technologies, but i always get stuck because I do not feel confident in adopting technologies that I do not fully understand.
As an awesome alternative you can use a Trezor (or KeepKey) with https://github.com/romanz/trezor-agent for GPG and SSH. Unlike the YubiKey, with the Trezor you have have to enter a scrambled numeric PIN to use it.
The last time I tried to set up my YubiKey Nano for SmartCard access the indicator light flashed incessantly. There is no option to turn it off and it is very distracting.
Has anyone else had this experience? Is it possible to turn the flashing off?
Almost anything that can run NeuG can also run Gnuk. You're not going to get tamper-resistant hardware -- unfortunately it's not possible today to buy truly open hardware with a tamper-resistant design -- but you'll get something that most people consider open.
Someone is going to reply to this and note sagely that all commercial hardware is proprietary. I don't interpret craftyguy's question as a rhetorical statement that we're all doomed.
many, however, effectively all of the smartcard hardware implementations are proprietary. The most open one I can think of is the OpenPGP card which is PC/SC standard compatible. It's sold by Free Software Foundation Europe and is colloquially known as the "foundation" card. However, while the applet source that runs on the Java card is available, I don't know about the firmware or runtime libreness.
It's be really great to have an auditable open source processor/soc design with PC/SC compatible interface and secure enclave implemented in an ISO standard smartcard form factor. Alas, to my knowledge nothing like that exists.
Yubikey designs used to be a lot more open than they are currently (you used to be able to run your own applets, IIRC - with some security compromises, of course). That said, I would still personally use them for non-critical things - it's a really handy form factor.
Can someone ELI5 why Yubikeys are better for 2FA than using, say, 1Password, which simplifies the process with cmd + \ and automatically pasting the 2F code? (Even better than Google Authenticator; no need to reach for anything.)
Using 1Password to store your 2fA seed makes it single factor because your password and second factor are stored in the same place. This is not a good idea.
Yubikeys in U2F mode are better than any OTP because they protect you against phishing attacks. 1Password auto-filling arguably has this property too, but you should disable that sort of password manager behavior:
[+] [-] EngineerBetter|8 years ago|reply
http://www.engineerbetter.com/blog/yubikey-all-the-things/
http://www.engineerbetter.com/blog/yubikey-ssh/
http://www.engineerbetter.com/blog/yubikey-static-secret/
http://www.engineerbetter.com/blog/yubikey-2fa/
[+] [-] OJFord|8 years ago|reply
Then FYI you should check, if you haven't already, the version of yubikey you have and replace it if necessary:
https://www.yubico.com/2017/10/infineon-rsa-key-generation-i...
[+] [-] captn3m0|8 years ago|reply
- https://blog.flameeyes.eu/2016/10/gnupg-agent-forwarding-wit...
- https://www.isi.edu/~calvin/gpgagent.htm (Mac OS)
I broke my head recently trying to get this to work recently. The error was in 2 different gpg binaries that ubuntu ships with. Using gpg2 instead of gpg gets it working.
[+] [-] DINKDINK|8 years ago|reply
https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac
https://news.ycombinator.com/item?id=16145586
https://malcolmsparks.com/posts/yubikey-gpg.html
https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smart...
https://wiki.archlinux.org/index.php/GnuPG#Encrypt_and_decry...
https://www.jfry.me/articles/2015/gpg-smartcard/
https://www.yubico.com/support/knowledge-base/categories/art...
[+] [-] dkhenry|8 years ago|reply
``` gpg: selecting openpgp failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device ```
and the only solution I found was to remove OSX and replace it with linux which is now working again.
[+] [-] goerz|8 years ago|reply
I did find this: https://www.yubico.com/support/knowledge-base/categories/art...
[+] [-] jbboehr|8 years ago|reply
[1] https://rzetterberg.github.io/yubikey-gpg-nixos.html
[2] https://developers.yubico.com/PGP/SSH_authentication/Windows...
[+] [-] sonaltr|8 years ago|reply
A few weeks ago I found out about Bloomberg BUnit 4[0] (I was looking at their keyboards and got distracted).
I think we need something similar for consumers (as in, I don't want to end up spending 24k for a terminal just for a BUnit).
Basically it's a device that has a light sensor, a fingerprint reader and a code generator - all used to authenticate the user to Bloomberg services.
The closest I've gotten is using something like Trezor[1] or Ledger S Nano[2] (no fingerprint reader/light sensor - but it's protected via a passcode).
It's just one more level of protection on top of a hardware key (username + password + hardware key (protected by a password))
[0] https://www.bloomberg.com/professional/support/b-unit/
[1] https://preorder.trezor.io/ (the model T)
[2] https://www.ledgerwallet.com/products/ledger-nano-s
[+] [-] sowbug|8 years ago|reply
This is Ubuntu 16.04, which comes with GnuPG 2.1.11.
[+] [-] subway|8 years ago|reply
Ledger did an OpenPGP Card 3.0 implementation that looks interesting, though the token is pricey: https://github.com/LedgerHQ/blue-app-openpgp-card
[+] [-] CaliforniaKarl|8 years ago|reply
As for the PIV portion: Unfortunately, PIV will not work either. Right now, OpenSSH’s ssh-agent doesn’t have the ability to handle EDSA keys when using PKCS#11 (which is how the agent communicates with the “card”.
The enhancement request is at https://bugzilla.mindrot.org/show_bug.cgi?id=2474
Unfortunately, although people have been maintaining patches, there’s been no official action (that I know of) on this.
[+] [-] linker3000|8 years ago|reply
[+] [-] jopsen|8 years ago|reply
Ideally, you don't deployments manually anyways.
[+] [-] znpy|8 years ago|reply
[+] [-] rendaw|8 years ago|reply
[+] [-] Dowwie|8 years ago|reply
[+] [-] Corrado|8 years ago|reply
Has anyone else had this experience? Is it possible to turn the flashing off?
[+] [-] craftyguy|8 years ago|reply
[+] [-] sowbug|8 years ago|reply
Almost anything that can run NeuG can also run Gnuk. You're not going to get tamper-resistant hardware -- unfortunately it's not possible today to buy truly open hardware with a tamper-resistant design -- but you'll get something that most people consider open.
Someone is going to reply to this and note sagely that all commercial hardware is proprietary. I don't interpret craftyguy's question as a rhetorical statement that we're all doomed.
[+] [-] justinjlynn|8 years ago|reply
It's be really great to have an auditable open source processor/soc design with PC/SC compatible interface and secure enclave implemented in an ISO standard smartcard form factor. Alas, to my knowledge nothing like that exists.
Yubikey designs used to be a lot more open than they are currently (you used to be able to run your own applets, IIRC - with some security compromises, of course). That said, I would still personally use them for non-critical things - it's a really handy form factor.
[+] [-] apas|8 years ago|reply
[+] [-] arachnids|8 years ago|reply
Yubikeys in U2F mode are better than any OTP because they protect you against phishing attacks. 1Password auto-filling arguably has this property too, but you should disable that sort of password manager behavior:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi...