Hacker News new | past | comments | ask | show | jobs | submit login

Be aware literally nothing supports this unless it's your own kernel.

Gitlab? No. Github? No. My gateway with a hand built gentoo kernel? Yes.

It seems functional, but you've also got to be aware that `ed25519-sk` and `ecdsa-sk` have sort of spotty support in the devices too. `ed25519-sk` does not work on a Yubikey <5, for example.




> Be aware literally nothing supports this unless it's your own kernel.

Ubuntu 20.04 and later supports this, and, since that's LTS, it means that quite a few servers and machines will be supporting it already.

Github/Gitlab aren't supporting it yet, but given how great it is for security, I think they have a big incentive to speed up support.

> ed25519-ek does not work on a Yubikey <5, for example.

That's no problem, since you can just generate an ECDSA key instead, but yes, not all keys have hardware support for all algorithms.


Debian 11 too, out of the box. It took a bit of work to use a newer openssh-client on my Ubuntu 18.04 laptop, but that was manageable.


Not exactly true. Ubuntu 20.04 supports this out of the box and lots of VMs therefore also do.


Not only that, but there's billions of devices out there that don't support it.

I can SSH to my AP, my home router, all routers at basically any ISP. None of those support this. Most of them probably never will, until they're thrown away and new ones bought in 5-10 years.

Bottom line: This can't be your only key. So why bother? Why not use PIV mode/smartcard/other, which does work with every single one of these billions of devices, because they have no server-side requirements like these.


Here is another tradeoff. Many PIV smartcards (such as YubiKey 4, if I'm not mistaken) are able to store only a single private key. With U2F (ecdsa-sk), the number of SSH keys is unlimited.

Another tradeoff. Some users may be using a cheap or old token (without PIV support) or a token with a private key slot already used for something else. Now, with a software-only upgrade (on both SSH client and server), they can user their existing token for SSH authentication.


Ah yes, that's a good point. It is not great that you leak your identity by using pubkey (ssh whoami.filippo.io).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: