yubikey-agent VS mfsbsd

This is a great idea. I now exclusively use SSH keys on hardware security modules of some kind. I use "Secretive", a mac app that does the same, plus a yubikey using yubikey-agent (https://github.com/FiloSottile/yubikey-agent; there are too many complicated ways to use SSH keys with a yubikey this is one of the friendliest ones). Depending on the security and frequency of which I access the service impacts whether I need presence confirmation or use secretive versus the yubikey.

I would be remiss to mention there are existing SSH TPM projects, not sure how this one differentiates. It seems to at least have the user experience pretty simple, similar to yubikey-agent (and secretive), and unlike some of the existing solutions which have quite a few extra steps:

Also check out https://github.com/FiloSottile/yubikey-agent which simplifies the setup quite a bit.

I'm using it on nixOS and macOS, via Nix Packages and Homebrew respectively. It's this - https://github.com/FiloSottile/yubikey-agent I'm realizing from this thread that it's not an official package. I'll go closer to the source with ykman. Thanks!

I think the Ledger Manager only interfaces with the GPG and SSH agents, neither of which age take advantage of. But age does have support for Yubikeys (see https://github.com/FiloSottile/yubikey-agent). If you can interface with the Ledger hardware device as a Yubikey, this might work. I don't have experience here, just a thought.

You can use PIV for SSH just fine.

It's not OpenSSH's weird FIDO mode, but I don't like the FIDO mode anyway because it requires storing a file on the computer.

https://github.com/FiloSottile/yubikey-agent

I have the same concern. I modified Pageant (Windows agent) so that it prompts me before signing anything which helps ease my mind, I only approve when I know I'm connecting to a new server. There are also options like requiring a Yubikey too (https://github.com/FiloSottile/yubikey-agent)

Aging MBP, Intel based, Monterey 12.3.1 uname -v Darwin Kernel Version 21.4.0: Fri Mar 18 00:45:05 PDT 2022; root:xnu-8020.101.4~15/RELEASE_X86_64 brew info yubikey-agent yubikey-agent: stable 0.1.5 (bottled), HEAD Seamless ssh-agent for YubiKeys and other PIV tokens https://filippo.io/yubikey-agent /usr/local/Cellar/yubikey-agent/0.1.5 (7 files, 4.8MB) * ...

Unless I've missed something, SSH keys stored on Yubikeys are still hampered because you aren't allowed to a touch policy of "touch never".

Imagine needing to touch the Yubikey with each "git pull" or using Ansible to operate over SSH on a dozen servers in parallel, and needing to touch the Yubikey once for each server.

The feature request I'm tracking is here: https://github.com/FiloSottile/yubikey-agent/issues/95

The proposed feature would allow setting a touch policy for the SSH key.

If you can do ssh, you can sign messages: https://github.com/FiloSottile/yubikey-agent

I'm very new to BSD in general, but I find it very fun and interesting!

However, I need pointers to get started.

> You won't be spoon-fed, and are expected to have read the manuals and other documentations...

I read a lot of FreeBSD and NetBSD documentation to get to the point of compiling my own kernels, but I don't think I ever read about the equivalent concept of Linux cpio/initramfs for BSD. My minimal images use a UFS filesystem.

Here, after checking https://mfsbsd.vx.sk/ and https://github.com/mmatuska/mfsbsd/blob/master/scripts/mdini... I think mfsbsd is just a using tmpfs so it may not exactly the same thing as initramfs, that allows booting linux from a bzImage + initrd

I'll keep searching, it's not super high priority at the moment, but it's something I'd like to do with (Free|Net)BSD.

I suspect it depends on how much support and/or hand-holding you need from your hosting provider. I'd hesitate to run an unofficial build/image but I believe the alternative on DO is to use mfsbsd (a memory-file-system installer for FreeBSD) which is also an unofficial build/image.

The common answer here is to use mfsbsd which puts all the installer's requirements onto a RAM disk so you should (in theory) be able to pull the install media and plug in other devices as needed

I looked into this for a project a couple of years ago and ended up using mfsbsd instead.

https://github.com/mmatuska/mfsbsd