
Show HN: Yubikey-agent – an easy to use Go ssh-agent for YubiKeys - FiloSottile
https://github.com/FiloSottile/yubikey-agent
======
StavrosK
I have been trying to use Yubikey for SSH over the years, and everything has
been a huge hassle that just didn't work well enough.

Everything, that is, until SSH 8.2 came out. Using a Yubikey (or any other
U2F-compatible key, which is a _lot_ of them) is a breeze: Run `ssh-keygen -t
ecdsa-sk -f ~/.ssh/id_ecdsa_sk` to generate a key from your Yubikey and you're
done. You can even use Resident Keys mode (if your key supports it) to avoid
having to carry the private-key-half around with you, you can load it straight
from the Yubikey with `ssh-add -k`.

This is the only way that lets you walk up to a machine, plug your key in and
SSH to your server securely with just two commands. The downside is that both
sides have to be running SSH 8.2+.

~~~
veeti
> The downside is that both sides have to be running SSH 8.2+.

This is the problem. I was really excited for FIDO SSH keys, but LTS server
distributions don't support it so it's going to take years for broad adoption.

~~~
StavrosK
Ubuntu LTS does support it, and it's already out. Servers are set to have the
upgrade offered in a month, IIRC.

~~~
411111111111111
Half of our servers are Ubuntu 14.04, the rest 18.04.

I'll wager that it's not gonna be in either of these releases.

You should specify which lts you're talking about with a distribution that
releases every 6 months

~~~
StavrosK
It's in 20.04, the next LTS, which will be an upgrade option to you in a
month.

------
exabrial
Ok so this is neat; while the newest openssh client/server directly supports
u2f keys, this is a badass shim that creates NIST-p256 compatible keys that
are backed by a YubiKey.... man I wish this was a thing about 2-3 years ago!

Personally I've been using gpg-agent for a 2 years now without issues. It's
also nice because your ssh key could be signed and be discoverable on public
keyservers (like keybase), but I don't see any cloud providers having that
integration yet.

------
m3nu
I use it with PKCS#11 mode and can't confirm some of the drawbacks the author
mentions under _Alternatives_ :

> The UX of this solution is poor: [...] and needs manual reloading every time
> the YubiKey is unplugged or the machine goes to sleep.

I never have to re-enter the PIN after sleep and can even unplug it for a
while to use the port for HDMI output.

Still good to see some work in this space. Native OpenSSH support would be
best of course.

~~~
DCKing
I can confirm the author's experience with Apple's SSH-agent implementation.
It does not allow you to load Yubikey agent libraries from Homebrew's default
/usr/local, which makes it an inconvenience to set up.

------
jopsen
Hmm, gpg-agent has worked nicely for me.

The biggest pain is that I have to reconfigure when I switch yubikey.

(Yes, I have multiple keys with the same gpg key on each)

~~~
noodlesUK
Doesn’t having the same key on multiple devices kinda ruin some of the point
of the yubikey? What if you wanted to revoke one after you lost it? Also, how
do you store your gpg key? I have a couple yubikeys, but I have different keys
on each of them, and I find that works just fine.

~~~
Boulth
It's not a big problem because tokens lock themselves after 3 tries so even if
someone got your token they'd have to guess it. Having separate subkeys for
each token is nice but works best only with the signature subkey. For
encryption it doesn't work as GnuPG encrypts only to one subkey. The same with
authentication subkey: it doesn't matter if you revoke it because SSH doesn't
understand OpenPGP revocations.

------
abricot
Is it considered good practice to create the key on the yubi and not have a
backup? Or alternatively a master key to sign the key on the yubi so you can
create a new subkey if you lose the yubi?

~~~
m3nu
You have 2 physical Yubikeys and no backup anywhere else.

One way to achieve it is by generating it on a RAM disk and throwing it away,
once it's on both Yubikeys. I blogged about it here
[https://blog.snapdragon.cc/2019/04/27/using-a-yubikey-to-
sec...](https://blog.snapdragon.cc/2019/04/27/using-a-yubikey-to-secure-ssh-
on-macos/) (for macOS)

~~~
sebazzz
Windows users might find this useful: [https://github.com/drduh/YubiKey-
Guide](https://github.com/drduh/YubiKey-Guide)

------
xaduha
> The UX of this solution is poor

Not surprising if you ask me, have you installed an applet for it? Do latest
Yubikey even allow installing applets? Why are you using PIV for this?

I was using
[https://github.com/philipWendland/IsoApplet](https://github.com/philipWendland/IsoApplet)
with OpenSC and smartcards since 2016, no issues.

------
urza
You can also use Trezor.io instead of Yubikey for ssh login.
[https://blog.trezor.io/openssh-with-fido2-and-
trezor-e565c22...](https://blog.trezor.io/openssh-with-fido2-and-
trezor-e565c2277)

Advantage of Trezor is that it has better backup system and can be used for
more things in general.

------
bonzini
Would it be possible (or would patches be accepted) to talk to the GnuPG
scdaemon instead? This would let me use gpg-agent to sign and encrypt.

------
fidelramos
I want to mention a Yubikey alternative that runs on open-source firmware and
software: OnlyKey [1]

It has an onlykey-agent that works as an SSH agent [2]. It doesn't work as a
GPG agent yet though, they are reportedly working on it.

[1] [https://onlykey.io/](https://onlykey.io/) [2]
[https://docs.crp.to/onlykey-agent.html](https://docs.crp.to/onlykey-
agent.html)

~~~
danieldk
You may want to read the recent discussion on HN about OnlyKey before using
one:

[https://news.ycombinator.com/item?id=21884184](https://news.ycombinator.com/item?id=21884184)

~~~
fidelramos
Thank you very much for the link, I missed that discussion. I had no idea the
security of OnlyKey was so terrible, in light of this I will stop recommending
it.

~~~
StavrosK
I'm really excited about the next SoloKey coming out soon.

~~~
fidelramos
Thank you for the alternative. Sadly it doesn't support SSH or GPG keys, does
it? That was one of the selling points of the OnlyKey for me (and it being
open source of course).

~~~
jabart
Based on their blog post they are working on supporting PIV / PKCS#11 which
would support SSH Keys and AES operations.

[https://solokeys.com/blogs/news/update-on-our-new-and-
upcomi...](https://solokeys.com/blogs/news/update-on-our-new-and-upcoming-
security-keys)

[Edit removed it to be more specific]

