Re: [gentoo-user] Re: yubikeys
On 22.07.2015 09:48, Stefan G. Weichinger wrote: btw I have 2 keys at hand already, thanks. I am considering to get some of the tiny nano-keys for my thinkpads. learning and testing goes on. As I try setting this up with 2 keys on 3 physical machines, with 2 distros (fedora and gentoo) and 5 installations ... this gets quite complex ;-) (customer servers not counted ... sure) I try to put all my steps into a separate ansible playbook to automate it. This should be a boildown of dozens of howtos and blog entries I read and sourced over the last weeks. For example I set up local authentication via challenge-response today: to login to my system you need to have a correct password AND one of my yubikeys has to be plugged into the box. This leads to thinking about what kind of protection this provides and which it does not ... but it raises the overall level. (for laptops: a Neo-N plugged in all time? convenient .. but .. ? ) One has to think of a emergency routine how to access the own system if the key gets lost etc etc - In general I have to say that playing with Yubi-Keys and using LastPass helped me to think about several weak points in my overall setup.
Re: [gentoo-user] Re: yubikeys
Am 2015-07-20 um 01:24 schrieb walt: Congratulations. Yubikeys don't look trivial to set up. I forgot to mention that Noah (the guy from the podcast) mentioned that he has two yubikeys, set up identically, in case he loses one of them. Seems that losing the only one you have would be like losing your wallet with all your credit cards inside. A nightmare. Mostly you set it up for 2-factor authentication: if you lose it the finder/thief/attacker only has one factor, the key, and not the 2nd factor, the passphrase (or master password, when you use it with Lastpass). So in that case you use your second yubikey to log in to the service(s) and remove the id of the lost key from the settings ... and that lost key is never able to be used to unlock your account there. With ssh-keys *on the yubikey it's a bit different, you have to revoke these (sub-)keys then but still your ssh-keyring should be protected by a 2nd factor, your passphrase. btw I have 2 keys at hand already, thanks. I am considering to get some of the tiny nano-keys for my thinkpads.
Re: [gentoo-user] Re: yubikeys
Am 2015-07-19 um 00:45 schrieb walt: On Sat, 18 Jul 2015 12:21:39 +0200 Stefan G. Weichinger li...@xunil.at wrote: Does anyone (aside from Diego, as I know from his blog) use Yubico Yubikeys with Gentoo? I am especially interested in getting it to work within Gnome, to authenticate ssh-sessions (using the smartcard feature of the Yubikey NEO). There are X howtos out there ... telling me to add udev-rules, disable gnome-keyring, run keychain ... etc etc What an amazing coincidence. I just listened to a podcast about an hour ago where the process was explained in detail (even mentioning the NEO model and smartcard in particular). Weird. I'm curious to know if this link actually gives you what you asked for: http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/ You can either watch (or listen to) the podcast, or scroll down the page about one-third to see written instructions. (Instructions based on ubuntu, not gentoo, but I'm sure you can translate :) Thanks. Ok, didn't yet know about that piv-tool, will build it later this day and try it. The instructions there seem to be simply taken from the yubico website: https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html The howto doesn't use gpg-(sub)keys for ssh-auth, so far I followed howtos like this: https://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/ As I have an existing gpg-keyring I am cautious not to break things. So I added subkeys with 2048 bits to make them fit on the SC-part of the Neo Yubikey (my main key is 4096 bits long). This guy http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ moves on to a new main key while doing all this ... maybe I should consider this as well. All the howtos out there have in common, that the process of handling all the needed parts feels kind of unintuitive and scary. And I always wonder if I haven't missed a thing and locked myself out forever ;-) I had ssh using the (gpg-)subkey from the card already on one machine. Somehow it stopped working again and I am not sure what I screwed up. All this lead me to using keychain ( https://wiki.gentoo.org/wiki/Keychain ) ... to control agents for gpg and ssh (and cache PINs/passphrases). So I have to disable parts of the gnome-keyring (maybe the whole?) to let keychain manage that. Many moving parts included. Stefan
[gentoo-user] Re: yubikeys
On Sun, 19 Jul 2015 23:01:14 +0200 Stefan G. Weichinger li...@xunil.at wrote: Am 2015-07-19 um 08:31 schrieb Stefan G. Weichinger: Thanks. Ok, didn't yet know about that piv-tool, will build it later this day and try it. The instructions there seem to be simply taken from the yubico website: https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html tldr: works Congratulations. Yubikeys don't look trivial to set up. I forgot to mention that Noah (the guy from the podcast) mentioned that he has two yubikeys, set up identically, in case he loses one of them. Seems that losing the only one you have would be like losing your wallet with all your credit cards inside. A nightmare.
Re: [gentoo-user] Re: yubikeys
Am 2015-07-19 um 08:31 schrieb Stefan G. Weichinger: Thanks. Ok, didn't yet know about that piv-tool, will build it later this day and try it. The instructions there seem to be simply taken from the yubico website: https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html tldr: works ;) longer: got it working, yes ... caching the PIN with keychain did not work for me so far, but I was able to generate, rollout and use a PIV-based ssh-key on a few machines. great my todo: I roll all that into my ansible playbook which provisions my (desktop) machines so that all the fuzzing around is replayable and in turn also documented somehow. thanks so far, Stefan
Re: [gentoo-user] Re: yubikeys
If you wish to use your yubikey with web services it will work out of the box. If you wish to use it as a smart card you will need(?) to compile yubico's software. I did all of that and set up my yubikey without much problem (even using my own OTP server), though there were some hiccups with their build system... they managed to screw up cmake in some creative ways. All of the instructions should work fine once you get the software up. It would just be setting up gnome, etc, to use it. Probably no way to do something unfortunate to the hardware.
[gentoo-user] Re: yubikeys
On Sat, 18 Jul 2015 12:21:39 +0200 Stefan G. Weichinger li...@xunil.at wrote: Does anyone (aside from Diego, as I know from his blog) use Yubico Yubikeys with Gentoo? I am especially interested in getting it to work within Gnome, to authenticate ssh-sessions (using the smartcard feature of the Yubikey NEO). There are X howtos out there ... telling me to add udev-rules, disable gnome-keyring, run keychain ... etc etc What an amazing coincidence. I just listened to a podcast about an hour ago where the process was explained in detail (even mentioning the NEO model and smartcard in particular). Weird. I'm curious to know if this link actually gives you what you asked for: http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/ You can either watch (or listen to) the podcast, or scroll down the page about one-third to see written instructions. (Instructions based on ubuntu, not gentoo, but I'm sure you can translate :)