krypton-ios
secretive
krypton-ios | secretive | |
---|---|---|
10 | 23 | |
339 | 6,875 | |
- | - | |
0.0 | 7.4 | |
6 months ago | 7 days ago | |
Swift | Swift | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
krypton-ios
-
Akamai MFA for SSH Logins
I used this when it was still Krypton [0], it worked very well, it just gives you a "Want to log in?" notification on your phone, but for almost anything imaginable (inc SSH). I don't see it used much though.
[0] https://krypt.co/
-
Using your SIM card for MFA when logging in to an SSH server
Using your SIM card for MFA when logging in to an SSH server (through paid API requests to a third party)
There are ways to use your phone's secure storage capabilities for key storage. I've dabbled with using Krypt.co [1] for this, though that's sadly been deprecated and will at some point be replaced by a paid-for cloud service from Akamai. I'm sure there are other options available as well.
A far superior method for SSH security would be a physical U2F key or even a smart card. It's also possible to set up TOTP as a second factor ([2], works with any TOTP solution, not just Google Authenticator). I don't see a need for this paid-for third party service unless you're already using their services for some kind of verification mechanism.
[1]: https://krypt.co/
[2]: https://github.com/google/google-authenticator-libpam
-
Ask HN: How to emulate 2FA hardware in software?
Krypton (https://krypt.co), now owned by Akamai (https://akamai.com/mfa) who removed one of the best features, IMO (SSH key on a phone...) does this to an extent... Akamai says it's FIDO2... have not used it in a while... It is free though until Akamai decides not to give it away...
-
Apple/Google/Microsoft to accelerate rollout of passwordless sign‑in standard
Here's the announcement on the website of the FIDO alliance: https://fidoalliance.org/apple-google-and-microsoft-commit-t...
I hope this cross device system will be cross platform, but I wouldn't be surprised if you could only choose between macOS/iOS, Chrome/Chrome, or Edge/Edge sync.
Funnily enough, a system for signing web authentication requests from a mobile device is far from new: I've been using https://krypt.co/ for years (though it's on the long road of sunsetting right now) and I hope that will last long enough for the new cross device standard to replace it.
-
Real Problems That Web3 Solves, Part 1
> For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
What about https://www.yubico.com/products/yubikey-5-overview/ or https://cloud.google.com/titan-security-key/ or https://krypt.co/ (before it was acquired, I still use it though) or any of it's equivalents?
-
Passwordless SSH on Raspberry Pi
NOTE: Sometimes, if you are using a key-manager like Krypt.co you will not have the typical .pub file to copy, in which case using ssh-copy-id -f option will force it to copy anything close to a public key and this works for me.
-
Good alternatives to Krypt.co's Krypton MFA?
Krypton is a great little multi-factor authentication tool that stores your SSH and U2F keys on your phone and provides an SSH agent and a browser extension that send approval requests to your phone when those keys are invoked. Ie., you ssh into your server and a notification pops up on your phone asking you if it's okay. It also handily GPG-signs your Git commits.
-
Show HN: Authenticator by 2Stable – The missing Authenticator app
Here's the URL, since finding it via search is hard: https://krypt.co/
-
Authenticator App That Opens With U2f Alternative
check this https://krypt.co/
-
That's not how 2FA works
Trusting your HSM vendor is a requirement if you don't want your keys to be exportable, and there's much less risk in doing so compared to trusting Apple for other things like secure communications (iMessage is e2ee but doesn't tell you when your peer changes/adds keys and backups to iCloud by default).
Also, a lot of people who use Krypton don't know that SSH keys actually don't use the secure enclave because it doesn't support rsa or ed25519: https://github.com/kryptco/krypton-ios/issues/73#issuecommen...
secretive
-
GitHub Passkeys are generally available
Secretive might be what you're looking for: https://github.com/maxgoedjen/secretive
-
Zero Effort Private Key Compromise: Abusing SSH-Agent for Lateral Movement
Good find! I was always curious how this worked.
I'm a big fan of tools like secretive[1] that can help solve this problem by using biometrics to shift the UX/security trade-off and thus make it feasible to always require some kind of authentication to sign a token with a key.
I'm not aware of any tools that do the same for Linux, and a quick Google search doesn't turn up much[2]. It does look like you can at least get a notification[3], though.
This could provide another layer of protection on the user's endpoint device in addition the network monitoring called out in the article. Defense in depth, and all that.
[1] https://github.com/maxgoedjen/secretive
[2] https://unix.stackexchange.com/questions/705144/unlock-an-ss...
[3] https://www.insecure.ws/2013/09/25/ssh-agent-notification.ht...
-
Tell HN: 1Password 8.10.8 update corrupted data
https://github.com/maxgoedjen/secretive
> Secretive is an app for storing and managing SSH keys in the Secure Enclave
-
Software Developer Mac Apps
Secretive, which replaces painfully managing SSH keys from the command line / editor. Getting a Touch ID prompt is so much better, though migrating computers will suck.
-
SSH keys setup, use, and proper OpSec
consider using a higher-security setup. Secretive is an SSH agent for MacOS that stores keys within the host's secure enclave, where they can't be copied off, and can optionally require touchid validation before the key is used. This way, if you forward it the key to an compromised host and an attacker tries to use them, it'll still require a fingerprint (but, balance it with the fact that Secretive doesn't have nearly as many eyeballs checking it, yet!). Likewise, yubikeys can be setup to store SSH keys inside them and require touch to use.
- Secretive: Store SSH Keys in the Secure Enclave
-
Russhian Roulette: 1/6 chance of posting your SSH private key on pastebin
You can store them in the Secure Enclave on OSX and require TouchID to use the key for signing.
See: https://github.com/maxgoedjen/secretive
-
Use TouchID to Authenticate Sudo on macOS
Not exactly connected but the same crowd interested in this topic may also be interested in this tool to store SSH private keys in the Secure Enclave, kind of like what can be done with a YubiKey:
https://github.com/maxgoedjen/secretive
I've been looking for something like this for 3-4 years but only found it six months ago (in an HN thread). I use separate keys for every use case, and now know every time a key is used for any purpose, whether it's connecting to source control or my text editor is connecting to a remote VM.
Only thing I haven't figured out is how to do git signatures with these sorts of keys, but I haven't debugged it at all.
-
A sane SSH(1) key management example
On Macs, Secretive [0] is great. It creates keys in the secret enclave, from where they can't be read, only used for signing requests. TouchID authorisation is optional but it's so quick and easy that I keep it on for all keys.
It can also use Smart Cards (Yubikeys are called out by name in the readme).
A forwarded agent will have the same level of security, meaning that if the forwarded agent needs to use a key in Secretive, it will have to be authorised locally - and even if TouchID is disabled, you are notified if a key is used.
[0] https://github.com/maxgoedjen/secretive/
What are some alternatives?
webauthn - Web Authentication: An API for accessing Public Key Credentials
sekey - Use Touch ID / Secure Enclave for SSH Authentication!
YubiKey-Guide - Guide to using YubiKey for GnuPG and SSH
rust-u2f - U2F security token emulator written in Rust
openssh-sk-winhello - A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API
kr - DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
Vault - A tool for secrets management, encryption as a service, and privileged access management
vault-plugin-secrets-onepasswor
pass-import - A pass extension for importing data from most existing password managers
stateless-workstation-config - This is how I configure a fresh Ubuntu installation for serving me as a workstation.