OpenSSH 8.2 released
OpenSSH 8.2 released
Posted Feb 15, 2020 20:13 UTC (Sat) by karkhaz (subscriber, #99844)In reply to: OpenSSH 8.2 released by nix
Parent article: OpenSSH 8.2 released
This gives more resilience against only one of your factors being stolen. Suppose that you have Laptop and Workstation, from which you connect to Server, and Laptop and Workstation each have their own local private key. Server requires two factors. So in Server's authorized_keys file, you would add the public keys of Laptop and Workstation, the token's public key, and a 'backup' token public key (backup token is kept in a safe).
Then, if your laptop gets stolen, you can ssh into Server using Workstation + token and delete the laptop public key from Server's authorized_keys. If you lose the token, you can use the backup token plus your laptop.
Posted Feb 15, 2020 21:04 UTC (Sat)
by nix (subscriber, #2304)
[Link] (3 responses)
My goal is to migrate from that to a scheme that doesn't rely on a YubiKey-specific implementation and that doesn't depend on an authentication server which is, ah... well, almost all of them are fairly dreadful and/or unmaintained other than Joey Hess's (as in "needed local patches to support libykclient 2.15, released in 2015, without which all authentication attempts fail, the upstream maintainer never responded" sort of unmaintained). It's a shame, really -- I like YubiOTP, it's nice and transparent and easy to see that you're getting a different authenticator every time, while FIDO2 is... not like that. (Hm, I suppose I could use *both*, but that seems kind of pointless, since they both prove ownership of the exact same hardware token. So it probably is better to go to a passphrased SSH key to prove knowledge of the passphrase -- i.e., human identity -- with the key on the token, to prove possession of the token. Note that this passphrase is given on the *client* -- AuthenticationMethods is not required at all, since the only method needed is ChallengeResponse.)
... ugh, my YubiKey is too old to support ed25519 keys? But I only bought it a few months ago! Argh. I wish they didn't have non-upgradeable closed-source firmware on those things. Maybe I should migrate to some other key, but I do need HMAC-SHA1 generation as well (for disk encryption passphrases) and most non-YubiKey keys can't do that.
Posted Feb 16, 2020 18:05 UTC (Sun)
by abartlet (subscriber, #3928)
[Link]
But UF2 support seems much neater.
Posted Feb 18, 2020 4:26 UTC (Tue)
by justincormack (subscriber, #70439)
[Link] (1 responses)
Posted Feb 19, 2020 16:34 UTC (Wed)
by nix (subscriber, #2304)
[Link]
OpenSSH 8.2 released
An extension of this is to actually use two factors, i.e. a passphrase-encrypted private key on your laptop together with a token. sshd has an AuthenticationMethods configuration option that can be given two factors to be tried serially.
Yes indeed -- I'm currently using YubiKeys in OTP mode combined with an on-disk OpenSSH ChallengeResponse key to do just this. "AuthenticationMethods publickey,keyboard-interactive" works like a charm.
OpenSSH 8.2 released
OpenSSH 8.2 released
OpenSSH 8.2 released