(no title)
guerby | 2 months ago
My personal strategy is to use keys generated this way:
ssh-keygen -t ed25519-sk
Rules:
- A generated key never leave the machine it was generated on.
- ssh agent is never used
- ProxyJump in HOME/.ssh/config or -J to have convenient access to all my servers.
- DynamicForward and firefox with foxyproxy extension to access various things in the remote network from my local machine (IPMI, internal services, IoT, ...)
- On the web no passkey, only simple 2FA webauthn.
My understanding is that more features including "storage" means more attack surface so by avoiding it you're 1/ more secure 2/ it's cheaper.
White paper on passkey says their security is equal to the security of the OS (Microsoft Windows ...) so I avoid passkeys.
PunchyHamster|2 months ago
smileybarry|2 months ago
> ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them.
> [...]
> This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.
IMO the baseline Security Key ($20) series is now enough, unless your setup uses PGP, legacy SSH that doesn't support these key types, or if you're using a real certificate for e.g. code signing.
1: https://www.openssh.org/txt/release-8.2#:~:text=The%20privat...
unknown|2 months ago
[deleted]