michael/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Adds yubikey note about ssh keys.

Browse Source
This commit is contained in:
Michael Housh
2025-03-28 14:24:32 -04:00
parent 35d5a340bb
commit 335a6e74c3
1 changed files with 29 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
Yubikey.md
View File

@@ -4,6 +4,7 @@ A list of sites that my yubikey's are registerd with.
| Site | Primary Key Registered | Backup Key Registered | | Site | Primary Key Registered | Backup Key Registered |
| -------------------- | :--------------------: | :-------------------: | | -------------------- | :--------------------: | :-------------------: |
| Cloudflare | ✅ | |
| Facebook | ✅ | | | Facebook | ✅ | |
| first-financial-bank | ✅ | | | first-financial-bank | ✅ | |
| github | ✅ | | | github | ✅ | |
@@ -211,25 +212,45 @@ Remove the yubikey and try again, it shouldn't be possible without the yubikey b
> being the important part > being the important part
> [stack-overflow-link](https://stackoverflow.com/questions/78554135/unverified-github-commits-using-gpg-keys-on-yubikey). > [stack-overflow-link](https://stackoverflow.com/questions/78554135/unverified-github-commits-using-gpg-keys-on-yubikey).
## Setting up macOS to use gpg-agent for ssh ## FIDO SSH setup
The following lines need added to `~/.gnupg/gpg-agent.conf`, `enable-ssh-support`. [Setup Instructions](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html)
> Note: I tried using the GPG ssh-agent, but it was tough to get configured properly and this FIDO
> method is more similar to how I'm used to working with SSH.
You must setup a FIDO PIN prior to starting, which can be done in the `Passkeys` section of the
Yubico-Authenticator app.
I had to start by installing OpenSSH and reload my shell.
```bash ```bash
echo enable-ssh-support > ~/.gnupg/gpg-agent.conf brew install openssh && zsh -l
``` ```
The following lines were added to `.zshrc` to enable the usage of the gpg-agent for ssh (should need Generate the SSH credentials, make sure to secure the private key that is generated with a
to be done again, as long as dotfiles are installed and linked correctly). passphrase. When using SSH you will need to provide the password to unlock the private SSH key and
also a short press on the yubikey.
```bash ```bash
gpgconf --launch gpg-agent ssh-keygen -t ed25519-sk -O resident -C "Yubikey (primary)"
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
``` ```
#### Adding SSH key to another computer, using the yubikey.
Move into SSH directory and generate key (yubikey needs to be plugged into the computer).
```bash
cd ~/.ssh && ssh-keygen -K
```
> Note: This makes syncing passwords using `gopass` a PITA the way I currently have it setup with
> different password stores, I may have to consolidate them into a single store to make the friction
> less.
## Setting Up at First Financial Bank {#first-financial-bank} ## Setting Up at First Financial Bank {#first-financial-bank}
When setting up I could only use my phone it wouldn't allow me on my computer. Once you tab the When setting up I could only use my phone it wouldn't allow me on my computer. Once you tap the
device to the phone it prompts for a PIN, this is referring to the FIDO PIN that needs setup prior. device to the phone it prompts for a PIN, this is referring to the FIDO PIN that needs setup prior.
This took me a while to figure out and had to factory reset the FIDO application on the yubikey This took me a while to figure out and had to factory reset the FIDO application on the yubikey
after too many failed attempts where I used the primary PIN to try and unlock the yubikey. after too many failed attempts where I used the primary PIN to try and unlock the yubikey.