I'm probably just over thinking this and overly paranoid.
It kind of goes without saying that losing the key results in you getting locked out - if there was any other way there wouldn't really be much of a point to the complication of making yourself dependent on a stick.
As a backup, you either have some kind of spare keys in safe storage or reliable access to someone who can restore your access after having identified you.
* in some case you could generate the key beforehand on a computer, and then load it on a stick (unsure about yubikeys though). You should still revoke your key anyway once your stick is lost - as you should assume it could be found and used, sometimes needing only a touch operation rather than a PIN.
> As a backup, you either have some kind of spare keys in safe storage or reliable access to someone who can restore your access after having identified you.
I have two Yubikeys, but I don't consider the second one as "spare" that has to be locked away. I carry one USB-C/NFC key on my key chain. The other is a USB-A Yubikey nano, which is always at home in my desktop's monitor USB port so I can reach it very easily. By using both regularly, I'm more likely notice if one key gets broken or lost.
> * in some case you could generate the key beforehand on a computer, and then load it on a stick (unsure about yubikeys though). You should still revoke your key anyway once your stick is lost - as you should assume it could be found and used, sometimes needing only a touch operation rather than a PIN.
You can do that with yubikeys. You can copy the same secrets to a different key or store them somewhere safe. I considered doing this, but in the end all services that I use allowed to add two keys which seems like the better option. My reasoning was that if I have two identical keys A/B and I loose key A, I would have to immediately invalidate key B too - but before I can do that I would need to:
1. get a replacement key C 2. setup new secrets for key C and store them 3. then log into every service to add the key C and remove key A/B 4. reset key B to use the same secrets as key B
Up until point 3 (which my take a while until I get key C, unless I would always have a third key lying around) all accounts are vulnerable. On the other hand if I have two separate keys with different secrets, I can just remove the lost key from all services and deal with the replacement key later.
There was (is?) a vulnerability in Google Titan keys (and some Yubico products as well) that allowed cloning of keys (having a physical access is a pre-requisite).
Let me store my key in a secure, offline, physical device... and extract to clone it when my yubikey is worryingly old.
My threat model does not include physical attacks, but storage of a key on-device or in backups? Or forgetting a password for an encrypted archive? yep.
That makes these systems entirely useless at protecting against house fires, signups while away from home, or simply services that are too lazy to support your backup style (looking at you, AWS).
I think what we need is one master key that can be backed up in a offsite location (e.g. safe deposit box, lawyer, parents, trusted friends), and then have all subsequent secrets generated from it, or encrypted with it and stored somewhere publicly accessible.
This is a very good point. Essentially what you are describing here is a certificate authority.
The Yubikey, in this scenario, just acting as an 'offline CA'
It's a very good idea, but requires software being built to accept an authentication hierarchy.
Effectively it means all integrations must support multiple keys, and you’ll have to register both. Of course, this doesn’t work everywhere, such as AWS. In those cases, I typically use my “main” key.
I’d argue that the key breaking due to wear or being lost is less of a risk than human error: just last week I had to enter the admin GPG code for the first time in years, and I forgot it initially, which caused the device to lock itself, and apparently the recovery code didn’t work. Caused me a few hours of stress to get it resolved.
So yeah it requires some discipline. What’s important is that you need to identity the services you absolutely cannot lose access to: in my case it’s my email and password manager. For those two, I properly manage backup codes, regularly test both yubikeys, etc. The rest can all be recovered through email, if it needs to be.
The same Gpg key can be used for SSH too.
You can generate keys inside Yubikey, but you also have the option of bring your own key, which surely you keep safe offline.
I’ve worked around that by creating one IAM user per Yubikey.
Now this is scary.
I'm going to reveal some of my opsec but my password manager (pass(1)) does have yubikeys registered but it also accepts my GPG key. So even if I lose my yubikeys I can still unlock all the passwords, otp codes and everything I have in there.
I just can't feel comfortable with any other solution than my head being the final master key.
Here's my take on the automation: https://github.com/mihaigalos/pass
Personally I just generated my key offline (on a tails livecd) and backed it up to two different LUKS-encrypted USB sticks. One of those is stored at my place and another one at a trusted person, in case my flat burns down or so. The yubikey itself only stores subkeys, my master key stays on said USB sticks.
Been using this setup for about 5 years now and it's been working well for me so far. Once a year, I extend my gpg keys expiration time by using on of the USB sticks.
I did find out however that my old Ledger X can do U2F and GPG so I'm trying to learn how to use it. This Ledger was my first first hardware wallet but I got a coldcard which in my opinion is a better bitcoin wallet. I had no idea what to do with the ledger - second hand market for these things are a big nope. I was pleasantly surprised when I found out there are apps that allow the Ledger to perform some of the Yubikey functions.
So this doesn't really matter, because with enough incorrect PIN attempts the YubiKey will wipe the credentials. Store it somewhere it won't get destroyed, but don't worry too much about theft.
What I'd love to see would be some kind of "trust relationship" between two security keys – ie, if I had set up an account with key 1, but tried to access it with (transitively-trusted) key 2, I would be granted access.
I just import my `authorized_keys` that I keep up-to-date on my new server when I do the initial setup.
This is perhaps not ideal perfect security, but ultimately security is a always a tradeoff with usability and losing a physical item probably has greater chances than someone deliberately trying to get your private key.
Ideally though you would rotate keys if you lost your yubikey because you never know if the password was compromised or not.
It can work like Google Authenticator (using OTP), except it's not tied to a single device.
Not as safe as Yubikey, but likely a good compromise between security and user stupidity protection.
Also:
- 1Pw blocks itself after a few min without use.
- Installing 1Pw for the first time in a device is a bit more bureaucratic than a simple login.
I really think any MFA needs something to protect users from forgetting stuff to be successful. Even if it's something stupid like going physically to a store. I can't stand the idea that by loosing my two keys I will loose access to all my things and there's no one who can help me.
If one is leaked or accessed, so is the other.
It only really provide protection against the most basic / passive MITM attacks.
Print those out and store them somewhere. Then if you loose your yubikey you recover access with those.
If you're too lazy to print them, the just store them in an encrypted tarball, using a very long password (and then rarely open it).
Having the extra key is also fine, but it means you need to have the key around whenever you signup for a new service.
In an ideal world, I would encrypt recovery codes with a public-key and have the private key for decoding them buried in the back yard.
Then put the second key on your desk. My yubi happens to be annoying to fiddle with since it's on my keychain, so I use the desk one for signing most of the time.
If there's a house fire, you'll have your phone on you. If you lose your phone, you'll have a key at home.
I've a USB dongle at my office workstation (not a laptop, good ol' desktop) and I use Yubikey to store boot decrypt password. I do have a backup.
The anecdote is this: I have to take my keys out of my pocket and then insert Yubikey into the dongle. Naturally - I forgot to take the Yubikey and the keys back, cycled back home (6km away), realized I don't have the keys to my house, had to cycle back, couldn't get into the building, had to call my coworker to come back to let me in.
And I'm glad it happened. For the past 4 years (since it happened), I've muscle-memory when it comes to handling my physical keys and how I use the Yubikey.
Or just have another way to sign in. Generate random password for root user, store it in your password manager, disable root login via SSH and... whenever you find your user locked out, log via root via console. In a corporate environment, you could audit and alert whenever root logs in as it should be only "recovery" user.
IF my primary key gets lots, I'd hope the one backup one won't suddenly fail that same day -- if it does, then there's a problem.
The annoying bit is having to add all 2FA tokens to the backup one -- which is tricky if you want to store if off-site, since you need to bring it in every once in a while to add all the new 2FA secrets to it.
What kind of key-breaking do you think can still screw me over?
Given my "threat model", I don't need a lot of security, so that's one on my person, two other places that are in tamper evident containers.
Many systems still don't have OpenSSH 8.2 (Windows 11, older debian stable, etc). For those, another solution is to use the PGP applet of the YubiKey, which exposes a regular RSA key.
This guide has worked well for me: https://github.com/drduh/YubiKey-Guide
You can jump to the SSH sections if that's all you're after.
There's a missing piece for Windows, since the agent coming with WinGPG won't be reachable by SSH. Some guy on GitHub put out a workaround, but I can't find it right now.
--
edit: The workaround for Windows is this one: https://github.com/rupor-github/win-gpg-agent
A bit pedantic, but what's currently "Debian stable", Debian 11, has OpenSSH 8.4. The previous release, Debian 10, has OpenSSH 7.9, but it is no longer called stable (instead, it's sometimes called "oldstable").
With newer Yubikeys you can also use ECC PGP keys:
> Support for Elliptic Curve Cryptographic Algorithms have been added to the YubiKey 5.2.3 and above firmware.
https://developers.yubico.com/PGP/YubiKey_5.2.3_Enhancements...
You must then use the SSH installed within 'C:\Program Files\OpenSSH\ssh.exe' and not the builtin within system32.
While this only works for a subset I'll stay with my RSA key in PIV mode on yubikey. Works great.
1. gpg-agent must act as your ssh-agent (which means ssh-agent should be disabled and replaced by gpg-agent).
2. If using `pinentry-curses` (YubiKey usually permits access to the contained GPG key via the use of a pin), you must have `export GPG_TTY=$(tty)` (or your shell's equivalent of setting the GPG_TTY environment value to the output of `tty`).
3. You can fetch the public key of your GPG key with `ssh-add -L` (gpg-agent must be acting as your ssh-agent, and the YubiKey with the GPG key has to be plugged in).
4. You must have the line `enable-ssh-support` in your `$GNUPGHOME/gpg-agent.conf`.
I used a guide[1] to set up a GPG key on to a YubiKey, and for those who don't want to use GPG, the guide also has a section[2] about just using an SSH key as well.
Resident keys are (partially?) created on the hardware token and thus can't be replicated. The GPG keys can be pushed to a couple of YubiKeys before you delete them forever (or keep a paper backup somewhere safe).
- source code: https://github.com/silentsignal/zsca
- my talk about the design and results: https://pretalx.hsbp.org/camppp7e5/talk/D3E9HN/
I use them for SSH, but also for 2FA on the web, `sudo` and a few other items. Wrote about it recently here:
https://hugo.barrera.io/journal/2022/05/07/how-i-secure-my-s...
They are thus not limited to Yubico's proprietary functionality controlled by Manager, which has a wider attack surface than I am comfortable with, and are not limited to platforms running the Yubikey Manager software (e.g. on OpenBSD). Since the key has never been outside the USB enclave, there is no way it could have been surreptitiously copied, e.g. if there was a rootkit on the machine where the key was generated before copying to the Yubikey.
Or does the on-the-fly key generation use random bytes stored in the stub?
EDIT: `-O resident` might be what is doing it though, I wasn't aware of this option.
Indeed. This will use FIDO 2 Discoverable Credentials / Resident Keys. Those are fully stored on-key (but their number is limited): https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu....
Non-resident keys will basically give out the private key encrypted with a static master key as the key handle and thus support an unlimited number of keys. If you lose the key handle, then the key is gone. That's probably what you were experiencing with your Titan.
In the past, I postponed setting this up after I encountered issues. I tried to run "ykman", but it seemed to fight with "yubioath-desktop". It was tricky to debug and I ended up rebooting. I think the reason was that I installed "yubioath-desktop" using snap, which runs "pcscd" as a snap service, and "ykman" wants to start the "pcscd" system service.
Either case, for this tutorial, I skipped the part running 'ykman'. Basically the only commands were:
ssh-keygen -t ed25519-sk -O resident
ssh-add -KImagine needing to touch the Yubikey with each "git pull" or using Ansible to operate over SSH on a dozen servers in parallel, and needing to touch the Yubikey once for each server.
The feature request I'm tracking is here: https://github.com/FiloSottile/yubikey-agent/issues/95
The proposed feature would allow setting a touch policy for the SSH key.
I have a small encrypted disk image that I mount, after booting my computer. A YubiKey would be similar. I use this to store my really critical stuff. I don’t back up the mounted disk, but do back up the encrypted image.
I tried using symlinks or aliases, but that did not work. 1Password simply created a new vault.
doesn't that defeat the point of using a yubikey where the private key itself is never read from the device during authentication?
Also, how can one remove the SSH keys from the Yubikey?
I've tried to find articles and SSH on the Yubikey gets very confusing as there seem to be so many techniques!
$ ssh-add -L
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= cadey@shachi
I am looking for a command that shows what's on the yubikey.
From what I gather, if the command from the article is run: "ssh-keygen -t ed25519-sk -O resident", the key is stored in a FIDO2 slot.
If that's the case, my question is how to show what is in the FIDO2 slots and how to delete them?
- https://www.yubico.com/blog/github-now-supports-ssh-security...
- https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.ht...
- https://developers.yubico.com/SSH/
The second link describes the advantages/disadvantages of non-resident vs. resident keys.
For my trusty HyperFIDO Mini (usb id 0x2ccf:0x0880) this doesn't work, though it's rather old (1st gen) and maybe they refreshed it to support this. ssh-keygen fails with "Key enrollment failed: requested feature not supported". I wanted to replace it with a USB-C (& maybe NFC) device anyway, so seems like a good opportunity.
For WebAuthn this enables "usernameless" login. You rock up to a random PC anywhere in the world, go to example.com, just click "Sign in", and your authenticator is like, "Hi example.com, according to my records I am archi42, user 123456-ACBDE-123 and as proof here's a signature made with my unique private key" and the site checks its database and signs you in. Convenient and fairly secure (most devices with such a feature expect a PIN, or a fingerprint, or some such factor beyond "something you have" in the form of the authenticator itself).
For SSH, this means the magic file that makes SSH with FIDO work can be regenerated on another client machine by just asking it to spit out the credentials.
Chances are your device does not have this feature, usernameless login on the web is rare, so few people need this, and of course it's a considerable extra hardware implementation burden. Yubico products have it though, as do some others, and the phone implementations (iPhone, newer Android) likewise.
If you mostly use the same machines (laptop, maybe a desktop) for SSH, the resident feature isn't important, just don't write "-O resident" and remember that although they aren't a security feature the resulting files are unique and if you don't have them you can't log in. If you regularly use different machines for SSH login because you're say, a roaming technician logging in to physical hardware on site or you insist on travelling very light, then it's very valuable and worth upgrading to get the resident feature.
I got the hyperfido 5 years ago and doubted they're still selling the same hardware today. I exchanged a few mails someone from their C-suite back then on the topic of using the keys for SSH, and it wasn't easily possible back then (also: he seemed very nice [cue Canada meme], so I didn't want to spread falsehoods about the company on HN). Actually I checked right now, and their current offerings seem to support FIDO2 (also: the model number & name changed slightly). So I suppose their current generation should work.
//edit: ah, your pointer was still worth the effort. I tried non-resident and ecdsa-sk works with my key (but not ed2219-sk). I still need a new key because I want to have a resident key :)
As a result, lots of systems that are not bleeding edge still don't accept them, for example Gerrit.
On the other hand, probably we should have learned by now that even apparently trivial verification steps are too easy to get wrong (or plain omit) and so you really want to delegate all of this work to just one implementation which was actually written by people who know what they're doing and, preferably also formally verified as correct since people who "know what they're doing" still make far too many mistakes. Thus, maybe there shouldn't be so many independent (and likely in some cases, wrong) implementations of this check.
Wait, what? My wife stopped going to Awanas when some leader told her she was going to hell for not learning the Bible verses. Later I learned that her father was pissed off about the whole situation.
"M05 27 2022" seems to indicate that it's in fact MM DD YYYY not DD MM YYYY