
Using a Yubikey as a touchless, magic unlock key for Linux - Pneumaticat
https://kliu.io/post/yubico-magic-unlock/
======
ashtonkem
A permanently attached Yubikey is _not_ worse than a password alone, and is
still superior to SMS 2FA. It still requires that an attacker know both your
password and have physical possession of your machine. For the vast majority
of users, this is sufficient protection from the threats that they face. The
chance that someone both knows your password _and_ is close enough to steal
your yubikey is incredibly unlikely.

If you’re the kind of person liable to get personally targeted for nation
state level attacks, then you definitely are going to want to unplug your
yubikey and keep it on your person. For the rest of us, a hardware 2FA token
is enough to protect against a sim swap attack, which is probably enough.

~~~
Legogris
> liable to get personally targeted for nation state level attacks

Groups also potentially at risk:

* Targets for industrial espionage (you might not be interesting but your employer is)

* Those believed to hold larger amounts of cryptocurrency

------
SahAssar
> Yubikeys are great for security, but not when you leave them in your
> computer unattended. At that point, anyone can take the key and use it for
> 2-factor authentication/SSH/GPG signing, so it’s not much better than just
> using a normal password.

Even after the edit at the top regarding PIN it still seems to not get the
main point of a U2F token: It's physical. It's incredibly hard to extract
secrets from it. It's local to where it physically is.

If I have a password then there are probably a couple of services and people
that could reasonably get to it either by hacking the service the password
unlocks (in storage if its a really insecure service or in transit the next
time I log on), or can extract it from my password manager/memory/browser or
whatever.

The point of a U2F token for me is to change the number of people who can
reasonably authenticate as me from "everyone who has my password" to "everyone
who have a physical key I keep within a reasonable distance from me that is
incredibly hard to copy and has my password". U2F also validates auth origins
quite a lot better than many other methods, although I guess that is not
relevant to this argument.

A hardware U2F token is not the end-all be-all security, but it reduces
potential attackers a lot.

~~~
tialaramex
In this context it's probably better to think about them as FIDO/ CTAP tokens
rather than as U2F (which is obsoleted by WebAuthn and focused on the Web) or,
as the author does, just narrow it explicitly to Yubikeys and not the wider
menagerie of similar products. Yubico's own Security Key implements FIDO2 (and
so could also be used for U2F) but won't work for the author's approach.

Anyway, the main thing I wanted to mention is that the use of public key
encryption means this is quite different from the device having "my password".
Even in the on-device ("resident credential") scenarios the authenticator
doesn't have a _password_ which is a shared secret, it actually has a private
key which it won't divulge - much better.

Implementation errors by a web site can leak your password, which because it's
a shared secret can then be used by adversaries to log in. It's _impossible_
to be sure a site didn't get this wrong, even if you're confident they are
competent and well meaning.

In contrast the WebAuthn (and U2F) design doesn't give sites enough
information to impersonate you even if they wanted to, only to authenticate
you. This is a familiar pattern from public key cryptography, receiving the
certificate for news.ycombinator.com allows me to verify this _is_
news.ycombinator.com but not impersonate them. Likewise, when you enroll a
FIDO authenticator to use Facebook, Facebook doesn't learn how to impersonate
you, even on Facebook, only a way to verify that you still have that
authenticator. [And the design is even more careful, it uses completely
independent credentials for each site, so when Microsoft bought GitHub they
actually _could not_ merge the FIDO-based authentication between GitHub and
Microsoft properties, even if they thought that was a good idea it's
deliberately impossible. ]

~~~
SahAssar
Is any of that a contradiction of what I said or are you providing context?

~~~
tialaramex
On re-examination of what you wrote I think I misinterpreted this sentence:

"everyone who have a physical key I keep within a reasonable distance from me
that is incredibly hard to copy and has my password"

I took (hard to copy and has my password) to be properties you were giving the
physical key, but in fact I see the correct interpretation was that "and has
my password" is an adjunct to the properties of this hypothetical attacker who
now needs to steal the key.

~~~
SahAssar
Yeah, I meant "(has the key) and (has my password)", not "has my key which has
my password". The reply makes a lot more sense now, thanks for the
clarification! I'll try to be more unambiguous.

------
rossjudson
Seems like a bad idea. Requiring a touch means it's much harder to trigger the
key through software alone -- or maybe impossible. So someone has to actually
be present at the machine. This is particularly important when, for whatever
reason, the machine you can actually put your hands on is actually a gateway
to _other_ machines. You can ssh tunnel all you want, but somebody still has
to physically touch the key for it to authenticate. Naturally, that only works
if you authenticate at _each_ level, and if you do not trust other levels.

The way we use them at Google, the keys are associated to particular machines
_and_ human accounts. You can't just remove a key from one machine and stick
it into something else. It is the combination of the machine and the key that
is enabled. A key can be deregistered/wiped, and assigned to a different
machine...but you need to be properly logged in to make that happen. In the
context of a corporation that is relatively straightforward, but perhaps for
personal use it is less so. Actually, without the right infrastructure in
place, it's quite likely to be a lot more complicated.

------
luizfelberti
This is really cool, but I still feel betrayed cause when I read "touchless"
and "contactless" I thought this was gonna use NFC

~~~
aborsy
Which NFC? Almost no laptop has nfc reader. I am not sure if the situation is
different with PCs.

~~~
pqb
Personally, I only know Dell Precision 7740 to have built-in NFC. I guess
tablet-like / 2-in-1 laptops might also have it.

Edit: Lenovo Yoga, Lenovo X1 Carbon have NFC too.

Edit 2: Dell Precision 7750 also offers it.

Edit 3: Models with pre-installed NFC module are very scarce, this site [0]
lists only 204 occurrences among 7136.

[0]:
[https://geizhals.eu/?cat=nb&xf=3710_NFC](https://geizhals.eu/?cat=nb&xf=3710_NFC)

------
flurdy
Some time there was a similar tool that locked the computer via bluetooth if
you walked away from the desk with your phone. It didn't unlock it which is
fine, but it seems a better way to lock a computer if you forget rather than a
timed screensaver after x minutes which leaves the computer vulnerable until
then. (Mostly just from colleagues changing your wallpaper, or autocorrect...)

~~~
jpalomaki
Windows 10 has this feature [1]. Would be more useful if you could tune the
required signal strenght.

[1] [https://support.microsoft.com/en-us/help/4028111/windows-
loc...](https://support.microsoft.com/en-us/help/4028111/windows-lock-your-
windows-10-pc-automatically-when-you-step-away-from)

------
GekkePrutser
Sounds good, but I'd really want to use a PIN with that. Otherwise anyone can
take my key and walk up to the computer and unlock it.

I wonder if there is something like pam_piv? I use PIV already for Mac &
Windows... Suppose I should look for it myself :)

~~~
aborsy
You need a pin for GPG. Note that, that would protect only the gpg keys.

Don’t forget to set a password also for the YubiKey Authenticator app.
Otherwise I believe anyone who has your key would see the websites with which
you have Fido U2F and use it.

~~~
tialaramex
> Don’t forget to set a password also for the YubiKey Authenticator app.
> Otherwise I believe anyone who has your key would see the websites with
> which you have Fido U2F and use it.

From what I can see YubiKey Authenticator is a TOTP authenticator. So that's
completely orthogonal to U2F (and less safe, although more familiar to users
who have things like Google Authenticator)

With U2F non-resident credentials don't leave any trace. If somebody has
stolen a working authenticator they'd need to guess sites at which its non-
resident credentials would be valid and then try it.

------
kayodelycaon
I think the concept is really cool and it’s awesome that Linux makes it
relatively easy to play around with authentication methods. I love this kind
of stuff.

But I’m also a pragmatist. While I run Linux everywhere I reasonably can, my
daily driver is macOS and I can’t help but wonder if a fingerprint reader
would be a better solution.

On my Mac, the fingerprint reader can unlock the system immediately and works
across the operating system for root access, including sudo. (There’s a pam
module.)

Locking can be done OS-wide using a keystroke (Cmd+Crtl+Q), touchbar button,
or by closing the lid.

Windows has had similar capabilities far longer than macOS.

~~~
deadbunny
As a daily user of Linux for the best part of a decade I'm curious where Linux
falls short for you?

~~~
kayodelycaon
The major one is deep integration of applications with the OS. One example is
any keyboard shortcut in any application can be remapped at the OS level.
Dictation and services available almost everywhere text can be entered. Any
text in almost any dialogue is selectable. Application dialogs like open and
print are standardized. The print dialog is incrediably rich with
functionality, in every application. This extends to integration with iOS
devices and system hardware.

The stock OS is ready out of the box with a full suite of integrated
applications. While there are better versions of all of them, most are high
quality. Though, I haven’t found a PDF reader better than Preview and Apple
Notes is very hard to beat as a general note taking tool.

The base OS has color syncing. I was able to hook up a professional grade
printer, have the OS automatically install the drivers, and produce color
accurate prints using Preview. The system print dialog allowed me to fully
configure the printer. No specialized tools required. There’s even an iOS app
that can do the same thing in a more limited fashion.

Never had a driver issue or had to modify a configuration file to get hardware
to work properly. (Have done GUI tweaks via defaults.)

When it comes to specialized applications, there are a lot of excellent
applications written specifically for macOS. Some come with iOS apps.
(1Password is high on my list.)

Due to the industries I work in, Microsoft Office is a hard requirement. Libre
Office is not an option.

Time machine has no equal when it comes to backups and restoring to new
hardware. I haven’t done a clean install since 2008. In two hours I can
completely clone my current machine.

This is just a few of the many reasons I use macOS. Frankly, they are more
important to me than openness of platform or deep control of my devices.

That does not mean I don’t appreciate Linux. I love Linux. There is nothing
better for servers than Linux. I have older laptops loaded with Linux but they
are a hobby for me.

Linux fills a very important place in the world. Frankly, the world needs open
operating system and people who enjoy using it. But I have neither the time,
expertise, or inclination to do so on my primary machine.

~~~
deadbunny
Don't worry in not one of the zealots that'll try and convince you that Linux
has a suitable replacement for something then recommend some this that does t
match up (see you MS Office vs. Libre Office for example). Just genuinely
interested to know where Linux is lacking for some people (and thus something
I might be missing). While I'm definitely an open source advocate I too am a
pragmatist and will happily use closed source software and _gasp_ pay for
software when the open source alternatives are lacking.

Personally none of you use cases have even crossed my mind, I can count the
number of things I've printed in the last decade on 10 years. I can definitely
see the benefit of having tight coupling between accessories/phone apps
though.

~~~
mindfulhack
I'm _trying_ to move my daily driver from macOS to Linux.

(Why? Privacy, more control over how technology interacts with me, and because
at a really deep level, I know this is the expression of my authentic self. I
don't like to 'blindly accept' things from others without questioning it, and
I like to create. I also love to learn. All this is balanced with the desire
to just sit back and enjoy a smooth experience like anyone else, half the
time.)

I'm slowly researching and trying out open-source alternatives to my daily
must-have apps like Notes.app, which is a great example of, so far, why this
is so challenging. But I'm trying to adjust and see what can be good enough.
(Web apps is not an acceptable solution, due to basic privacy expectations.)

It's reasonable to expect I have to adjust my methods somewhat, but I do need
such alternative workflows to be as feature-filled and performant as what I
currently use.

Like most, work requirements like Office (and Acrobat) are my greatest
challenge. Perhaps macOS on KVM for near-native performance with Office +
Adobe for Mac in it will be good enough?

~~~
deadbunny
Personally I use NextCLoud for things like Notes[1], while it is a web app it
is self hosted. Obviously this means you then need to run NextCloud yourself
which is an entirely different problem.

~~~
mindfulhack
Thanks for that, I'll check it out! Not afraid to self-host my entire cloud,
makes sense.

------
Pneumaticat
Thanks everyone for the feedback on Yubikeys being stolen! I've tried to
summarize it all in a footnote, and downgraded the severity of my original
starting paragraph. Thanks for reading!

------
ComodoHacker
The main drawback of this method if used daily would be broken USB ports.

~~~
Xylakant
I’ve been using yubikeys for at least the last 2-3 years for all ssh/gpg
operations and I have my key on my actual keychain so there’s extra weight on
it and sometimes the key sits at a bit of an angle. Still, I have yet to break
a single USB port on my ThinkPad. I’m a bit worried about USB-C though.

~~~
dpifke
Speaking from experience: the USB-C Yubikey will snap right off, without
damaging the port (at least, on a ThinkPad X1).

------
trishankdatadog
BTW, here is a handy way to quickly generate GPG keys (and set up git commit
signing and SSH key derivation) on Yubikey:
[https://github.com/DataDog/yubikey](https://github.com/DataDog/yubikey)

~~~
StavrosK
If you only want to do SSH, that way is a huge hassle, way too much to do on
machines you don't own/are using casually. If you can use newer SSH versions,
they support FIDO2 natively:

[https://www.stavros.io/posts/u2f-fido2-with-
ssh/](https://www.stavros.io/posts/u2f-fido2-with-ssh/)

~~~
Legogris
I don't think many people use GPG keys for SSH only (:

------
new_realist
So anyone can take my Yubikey and use it to gain access to my computer without
so much as a PIN? Is that a good idea?

~~~
saghm
To be fair, that's also how cars and houses tend to work

~~~
new_realist
I prefer progress in the forward direction.

------
exabrial
PIV certificates are kinda meant for this

------
gigatexal
i wonder if this would work for Active Directory logins which my AD connected
linux laptop does

~~~
Wohlf
I believe the Yubikey will function as a smart card for AD authentication.

------
traceroute66
I stopped reading at the first paragraph: "At that point, anyone can take the
key and use it for 2-factor authentication/SSH/GPG signing, so it’s not much
better than just using a normal password.".

If the author hasn't figured out you can assign a PIN to the keys you store on
the Yubi, then I don't see why I should waste my time reading their rambling
blog post.

Good luck taking my Yubikey and trying to SSH to my kit. Won't do you much
good without the PIN that is in my head. ;)

P.S. You can also configure the Yubi to lock and mandate a PUK after too many
wrong PINs.

~~~
quadrifoliate
> If the author hasn't figured out you can assign a PIN to the keys you store
> on the Yubi, then I don't see why I should waste my time reading their
> rambling blog post.

Try being a little nicer. If you feel that the blog post is a waste of your
time, here's a revolutionary idea – don't say anything? There are 29 other
posts on the front page, maybe one of those other ones will be worth your
time.

As it is, the UX of the poster's solution is totally different from yours; it
enables a one-time, contactless authentication during login. Yours requires a
ton of manual input every time the Yubikey is used for SSH. There is some
different in the security models here, but the author's solution is broadly
different from yours, and to me, much more convenient (I use a Yubikey with a
PIN for work and it's kind of a pain).

~~~
andreilys
I’m someone that often reads the comments before reading the article, so it’s
helpful to know what people think is blog spam and what is actually worth
reading.

~~~
wrkronmiller
Seconded. I think one of Hackernews’ biggest value-adds versus say Oreilly is
the eagerness with which the commenters on this site will rip apart bad
ideas/articles.

~~~
war1025
I agree, but also you can be critical without being an asshat.

It's better to comment from a perspective of "I bet you didn't know this" than
"Ha, you're an idiot"

------
brian_herman__
This is a great idea!

------
TwoNineFive
Hey author, why did you use the words "touchless" and "contactless" when it's
not true and not even relevant to the technology being used?

There's something strange going on here, like this article was written by AI
or something. It's using words out of context, or just making
plainly/obviously false statements.

