> On Mar 23, 2020, at 8:48 PM, William Herrin <[email protected]> wrote:
>> If they *do* steal both, >> they can bruteforce the SSH passphrase, but after 5 tries of guessing >> the Yubikey PIN it self-destructs. > > What yubikey are you talking about? I have a password protecting my > ssh key but the yubikeys I've used (including the FIPS version) spit > out a string of characters when you touch them. No pin. https://www.yubico.com/products/identifying-your-yubikey/ <https://www.yubico.com/products/identifying-your-yubikey/> The (presumably) Yubico OTP/OATH/HOTP string from a Yubikey that you may have picked up six years ago on a lark doesn’t even begin to scratch the surface. The integration with FIDO2 in the low-end models in OpenSSH 8.2 in particular is very spiffy (and not to be confused with PIV or OpenPGP mode. -r
