Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
openssh-sk-winhello
A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API
-
stateless-workstation-config
This is how I configure a fresh Ubuntu installation for serving me as a workstation.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Similar to the recommendations to use a YubiKey/hardware token, SeKey on a Mac lets you use a key generated in the Secure Enclave in an unexportable form (https://github.com/sekey/sekey)
> Still, I'd really like to see an article about how you set that up, especially if it targets smaller enterprise customers.
https://github.com/square/sharkey
My knowledge of WebAuthn is limited but their invocation of the relevant API seems like it should work for fingerprints also.
[1] https://github.com/tavrez/openssh-sk-winhello
Secretive also does this, and works on any Mac with the T2. I use it for all my ssh keys these days. It’s super slick!
https://github.com/maxgoedjen/secretive
Definitely not appropriate for protecting Real Infrastructure, but for my handful of personal machines I put my authorized keys in a Google Doc and configure hosts to download it using `AuthorizedKeysCommand`.
I have a hardware-backed "doomsday key" to use if the Google Doc stops working.
Writeup and script at https://github.com/mmdriley/authorized_keys
> An even more robust approach is to use some kind of hardware token that can sign short-lived ssh keys, and teach all your servers how to deal with those. That’s neat, but it’s hard to deploy (needs custom ssh settings).
Ahem, no. I use Yubikeys for a few years now. They are literally braindead to use, and works out of the box in recent Ubuntu. Here is an Absible role to get started: https://github.com/cristiklein/stateless-workstation-config/...
Stop making excuses and start protecting your SSH keys!
Disclaimer: I'm not compensated in any way by Yubico, but their product is so darn good that I really want people to start using it.
If you use GPG and YubiKey approach, you can create the keys in offline computer, store them to YubiKey, and make paper copy of the private key. Also you probably shouldn't have only single way to access the remote computer, I still intend to store password for root that I never use.
I wrote about my endeavour with this approach just few days ago [1].
[1]: https://github.com/Ciantic/thoughts/blob/master/2021/yubikey...
Related posts
- Why SSH certificates are awesome
- Horus: An OSINT / digital forensics tool built in Python (formerly 'Sentinel')
- Show HN: Horus – An OSINT / digital forensics tool built in Python
- Tracking Snoop Dogg's $4M Crypto Wallet with My New Open Source Tool!
- Randcrack – predict Python's random module random generated values