#SSH keys with #Yubikey are very convenient and secure way to login. And you can have ...

npub1ksx…07l5

2024-02-05 22:52:25

#SSH keys with #Yubikey are very convenient and secure way to login. And you can have as many SSH keys as you want (*) protected with a single Yubikey or other #FIDO2 authenticator.

(*) I mean standard (non-resident) ed25519-sk and ecdsa-sk public/private keys.

There is also option to generate the resident key, where the credential id file is stored in Yubikey and not on your computer. But this is kind of equivalent of storing file with your credential id file on USB flashdrive and keep it together with Yubikey. The resident keys can be extracted from Yubikey.

And yes, I write credential id file instead of private key, because the generated file with private key is not the true private key. Instead, it is kind of seed/key handle and the true secret is stored in Yubikey and cannot be extracted.

* Non-resident keys are ideal for systems where #privacy is important if the YubiKey is lost or stolen.
* Resident keys are ideal for ease of access where the FIDO2 PIN is known.

More info: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

#cryptography #authentication #fido2 #webauthn #2FA #MFA

quoting nevent1q…lqja
How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2) https://www.cyberciti.biz/security/how-to-set-up-ssh-keys-with-yubikey-as-two-factor-authentication-u2f-fido2/ #linux #unix #openssh #freebsd #macos

Author Public Key

npub1ksxp2k6449prsqz6e3uq4k87hzw64v6c6u7zqdw9u99ev2y7gfpsnh07l5

Seen on

Show more details

Published at

2024-02-05 22:52:25

Kind type

1 Short Text Note

Event JSON

{ "id": "1ce8e8793857b928536259171aa810419fa43995821c86a30812f8f43ed97187", "pubkey": "b40c155b55a94238005acc780ad8feb89daab358d73c2035c5e14b96289e4243", "created_at": 1707173545, "kind": 1, "tags": [ [ "q", "10364ed6715c255d68f92030a02709bdd817489609ca2b7e6b5310f172bc6dde", "wss://relay.mostr.pub/" ], [ "t", "ssh" ], [ "t", "yubikey" ], [ "t", "fido2" ], [ "t", "privacy" ], [ "t", "cryptography" ], [ "t", "authentication" ], [ "t", "fido2" ], [ "t", "webauthn" ], [ "t", "2fa" ], [ "t", "mfa" ] ], "content": "#SSH keys with #Yubikey are very convenient and secure way to login. And you can have as many SSH keys as you want (*) protected with a single Yubikey or other #FIDO2 authenticator.\n\n(*) I mean standard (non-resident) ed25519-sk and ecdsa-sk public/private keys.\n\nThere is also option to generate the resident key, where the credential id file is stored in Yubikey and not on your computer. But this is kind of equivalent of storing file with your credential id file on USB flashdrive and keep it together with Yubikey. The resident keys can be extracted from Yubikey.\n\nAnd yes, I write credential id file instead of private key, because the generated file with private key is not the true private key. Instead, it is kind of seed/key handle and the true secret is stored in Yubikey and cannot be extracted.\n\n* Non-resident keys are ideal for systems where #privacy is important if the YubiKey is lost or stolen.\n* Resident keys are ideal for ease of access where the FIDO2 PIN is known.\n\nMore info: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html\n\n#cryptography #authentication #fido2 #webauthn #2FA #MFA\nnostr:nevent1qqspqdjw6ec4cf2adrujqv9qyuymmkqhfztqnj3t0e44xy83w27xmhspzemhxue69uhhyetvv9ujumt0wd68ytnsw43z7q3qesmepyc8y2l6w03glx325zpjwp5ggvzuhqrg0csfylrevrdejxzsxpqqqqqqz7xlqja", "sig": "ab444969526da93464bb93d5daedf8636113f2f5f7ea6a14a2f25833e43d156eff875d567b3c38ce5ccf8db45176fe0a90f77854a10faadd30762617769a3208" }