yubikey | GPG is useful for authenticating yourself over SSH and / | Encryption library
kandi X-RAY | yubikey Summary
kandi X-RAY | yubikey Summary
GPG is useful for authenticating yourself over SSH and / or GPG-signing your git commits / tags. However, without hardware like the YubiKey, you would typically keep your GPG private subkeys in "plain view" on your machine, even if encrypted. That is, attackers who personally target [1, 2, 3, 4] you can compromise your machine can exfiltrate your (encrypted) private key, and your passphrase, in order to pretend to be you. Instead, this setup lets you store your private subkeys on your YubiKey. Actually, it gives you much stronger guarantees: you cannot authenticate over SSH and / or sign GPG commits / tags without: (1) your YubiKey plugged in and operational, (2) your YubiKey PIN, and (3) touching your YubiKey. So, even if there is malware trying to get you to sign, encrypt, or authenticate something, you would almost certainly notice, because your YubiKey will flash, asking for your attention. (There is the "time of check to time of use" issue, but that is out of our scope.).
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of yubikey
yubikey Key Features
yubikey Examples and Code Snippets
Community Discussions
Trending Discussions on yubikey
QUESTION
I can use gcloud cloud-shell ssh to login to Google Cloud Shell.
This, on first use, creates a ~/.ssh/google_compute_engine (+.pub).
But I already have existing SSH private key/s, and would much prefer to use those, specifically ed25519-sk and id_ecdsa_sk ones backed by a physical YubiKey security key. The gcloud cloud-shell ssh documentation mentions a --ssh-key-file flag, but it does not appear to work, and prints an ignored explicit argument error message that is not particularly helpful:
ANSWER
Answered 2022-Jan-26 at 10:47This behaviour seems to be a bug in the code of the SDK.
On the file /lib/googlecloudsdk/command_lib/cloud_shell/util.py we can see how the --ssh-key-file argument is parsed:
QUESTION
Im trying to store AWS access secret key in yubikey,but, as static password in "scan mode", it is not possible to store, because AWS secret exceeds 38 characters.
Now im thinking of way to store AWS secret, as in "official" way they do with SSH --> https://gist.github.com/artizirk/d09ce3570021b0f65469cb450bee5e29 , but no luck for now ( and i have very few expectation for this "path" )
Maybe someone have any suggestions?
...ANSWER
Answered 2022-Jan-25 at 12:47It is impossible, we moved on to the AWS SSO
QUESTION
I am currently working my way into libfido2 and trying to figure out how to use wrapped private keys with it.
Yubico says in the FAQs that with YubiKey 5 unlimited key pairs can be used for FIDO U2F; however, for FIDO2 only space for 25 resident keys is promised.
Does "FIDO2" mean that resident keys are used and that FIDO2 cannot be used with (external) wrapped private keys?
If this is the case, does libfido2 offer any possibility to work with FIDO U2F and wrapped keys instead?
If so, how does libfido2 need to be configured to do this? How can I provide the library with the appropriate protected private key. At least in "fido2-assert" I don't see a way to do this when I want to create an assertion on the client.
(The function accepts four specific parameters description here, and the only one that I understand could bring the private key is the "credential id". But the name makes me doubt if my request is possible with this parameter).
I am grateful for any answer!
EDIT: In the meantime I found this link to some Solo Keys developer pages describing how it works on Solo Keys. It seems the private key is calculated on the fly - in this case credential id would work as seed for the calculation)
...ANSWER
Answered 2022-Jan-23 at 18:00FIDO2 encompasses both WebAuthn (browser API) and CTAP2 (USB/Bluetooth/NFC APIs for externally connected authenticators). CTAP2 supports both client-side and server-side credentials, and specifies how backwards compatibility with U2F/CTAP1 authenticators works. Since you're working with libfido2, the CTAP documentation might be useful to understand what it does under the hood.
Client-side discoverable credentials (previously known as resident keys) are used for usernameless flows where no Credential IDs are specified during authentication. These keys are generated randomly and require storage space. Server-side credentials (non-resident keys) are represented as Credential IDs. What type of key is created is requested during the registration process but both FIDO2 standards default to server-side credentials if not specified. U2F only supported server-side credentials.
For external authenticators with limited storage space, server-side credentials are typically wrapped private keys encrypted by a single 'master' key stored in the authenticator. Since the entire state is stored outside of the authenticator this allows for practically infinite keys to be generated even with limited storage space. But it does mean that the Credential ID generated during registration must be stored on the server, and in order to generate an assertion it must be offered back to the authenticator later for authentication. In WebAuthn these Credential ID(s) are typically presented after the user is identified (e.g. via username and password) in the allowCredentials argument, CTAP2 calls this allowList.
With the terminology now (hopefully) clarified, yes libfido2 supports both types of credentials according to the assert example:
Asks for a FIDO2 assertion corresponding to [cred_id], which may be omitted for resident keys. The obtained assertion is verified using .
QUESTION
I recently purchased a YubiKey for two-factor authentication, but I don't know how to connect it to GitHub.
Can anyone help me?
...ANSWER
Answered 2022-Jan-19 at 15:48- Sign in to your GitHub account.
- Click your profile picture in the top right of the screen.
- Select Settings
- In the left panel, select Security
- Click Enable two-factor authentification
- Choose the method of you want to receive one-time passwords, Set up by using an app or Set up using SMS
- Sign in to your GitHub account.
- Click your profile picture in the top right of the screen.
- Select Settings
- In the left panel, select Security
- To the right of "Security keys", click Add.
- Insert your YubiKey into USB port.
- In the Security keys section, click Register new device.
- Type a nickname for your YubiKey, then click Add.
- Wait your YubiKey to begin flashing, then tap the gold button or edge.
For more information: https://yubikey.com.ua/en/using-yubikey-with-github/
QUESTION
I understand that WebauthN is designed to perform authentication, but I'd like to use my Yubikey to create symmetric encryption keys to encrypt content on my web browser without relying on a backend server.
Here's my approach:
- During the assertion challange (
navigator.credentials.get({ publicKey })) the Yubikey signs a challenge string that the client sends to the authenticator. - I extract the signed challenge, hash it with SHA256 and use it as my new symmetric encryption key for AES256 encryption.
- As long as the same challenge string is sent to the Yubikey, the encryption key will always be the same.
In order to be able to decrypt the content on the web browser. I would have to be in possession of the Yubikey and the challenge string for 2 factor authentication.
Is there anything wrong with this approach?
...ANSWER
Answered 2021-Nov-27 at 09:51Why don't you use the Web Crypto API?
This API is designed for cypher operations on client side and is suitable for your use case (client side encryption). It is supported by all recent browsers.
Note that the main concern you may have is that this API does not supports hardware devices (smartcards, security tokens...).
However, your Yubikey is certainly capable of generating a secured static password you can use as a master key you will derive to encrypt/decrypt your data.
QUESTION
With the eminent demise of the u2f api, I'm trying to move to WebAuthn APIs using the AppId extension to support security keys previously registered with U2F. As best I can tell from reading the docs I think I am doing it correctly, however, when attempting to authenticate I am prompted by my browser to tap my key, and my key is blinking, but upon tapping it I get the error "You're using a security key that's not registered with this website". In comparing the existing u2f authentication request I'm using the same appid and key handle.
Example U2F sign request:
...ANSWER
Answered 2021-Nov-16 at 17:53Everything about the options you pass to navigator.credentials.get() looks correct, including how you're specifying the "appid" extension. I believe the issue is that you're double-encoding your U2F credential's credential ID. Try passing the original "keyHandle" in the options instead (you can use it as-is because it's already compatible with base64url encoding):
QUESTION
$ cat test.sh
#! /bin/bash
run="/Applications/YubiKey\ Manager.app/Contents/MacOS/ykman openpgp"
$run info
$ ./test.sh: line 5: /Applications/YubiKey\: No such file or directory
ANSWER
Answered 2021-Aug-31 at 16:14You need the quotes or the backslash, not both.
QUESTION
I am using a piv on a Yubikey loaded with trusted certificates to do mutual tls with a server. I am using this golang pkcs11 library which is a wrapper over opensc-pkcs11.so
I am implementing a signer interface using the yubikey so that it can be used as a private key with go's crypo/tls library.
My signer function looks like this (I have added data in the error for debugging):
...ANSWER
Answered 2021-Aug-04 at 18:52The key loaded into the slot was an RSA key, not an EC key meaning that doing ECDSA failed.
QUESTION
after buying a Yubikey 5 NFC for technical interest (firmware 5.2.7) and setting up FIDO2 authentication where possible, I ran into the problem that I could no longer connect to my GitLab server via SmartGit because the second factor is not requested and therefore I can't connect to the server.
I then decided to deal with it on Windows 10 via Git Bash and SSH. Unfortunately, the documentation here assumes a lot of prior knowledge and I am an absolute beginner on the subject. In the meantime I managed to connect to the server with Git Bash and SSH using a locally generated SSH certificate.
Now I would like to use the Yubikey instead of the certificate stored locally on the computer. Unfortunately, all instructions (e.g. this one https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) lead to the same error message for me:
...ANSWER
Answered 2021-May-23 at 07:03So: it is true Security keys are now supported for SSH Git operations , as announced early this month (May 2021) on GitHub, but, as discussed here, there are still issues.
Your error message looks like a bug in progress on Debian: "issue 980393: /usr/bin/ssh-keygen -t ecdsa-sk fails with "Key enrollment failed: invalid format"".
And it is still being reported this month.
If this fails also with -t ecdsa, try and using a plugin for OpenSSH to connect to FIDO/U2F security keys through native Windows Hello APIs might help.
Type export SSH_SK_HELPER=/usr/lib/ssh/ssh-sk-helper.exe first, as seen in tavrez/openssh-sk-winhello issue 1.
Check your OpenSSH version is at least 8.2. It is on my side with the latest Git for Windows:
QUESTION
I am using openconnect --protocol=gp vpn.mysite.com and it says its connecting, but it is waiting for the SAML authentication. The command and authentication works on my debian machine it prompts for a username and password, but trying on my other linux machine it does not seem to want to prompt for authentication. This is the output:
...ANSWER
Answered 2021-May-09 at 01:15solved by adding --usergroup=gateway to the command
so the total command that works is
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install yubikey
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
