GitLab 10.0 Released

Likewise, only I have extra rules:

- two yubikeys, in case I lose one: one at home, hidden, the other on my keyring. The one on my keyring is obviously equivalent to physical access to my house, so I can do things like log in to home servers as root with it. Spare key in wallet not on keyring because if your keyring is plugged into a USB port you might well leave it behind by mistake

- authentication to home systems via OTP, communicating with a home-run yubiserver (it's not that I don't trust the yubicloud, it's just that if my net connection goes down I still want to be able to log in.)

- authentication to systems I run that are *not* home systems via HMAC-SHA1 challenge-response mode, as you do for everything: the benefit of this is principally that you don't need a connection to the auth server; the downside is that it dumps the next expected response in local storage: not to be done where $HOME is on NFS, at least not storing the response in the default place

- other authentication (disk decryption, etc) mostly via challenges to the HMAC-SHA1.

- plus a bit of U2F here and there (very rare in my usage).

I have never managed to get PGP token storage or PIV SSH key storage working. They all break for good the first time you use the key for anything else, and I use it for a *lot*.