Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I tried the FIDO2 way of authenticating to SSH when I finally had a Linux system with new enough versions of OpenSSH et.c in the repos.

It works quite nicely, but the PIN has to be entered every time I auth to SSH. This may be a desirable feature to some, but I prefer the GPG way of the PIN being cached until the key is removed from the system.

(This could possibly be a shortcoming of KWallet, as it would pop up the dialog asking for the PIN, but checking the "remember this password" would achieve absolutely nothing, and besides, I wouldn't want to save it permanently, which that checkbox would otherwise do.)



Ooh yeah I definitely don't want this either.

I want GPG to ask for the pincode once, and the yubikey to require a physical touch for each authentication (including the first, obviously). This way it can't be automated by malware either (a pincode can be sniffed and replayed through the keyboard driver, the physical touch can't).

The PIN is great against attackers that find your key on the street. Not against a determined attacker that is already on your computer. For that the physical touch thing is a great solution (though the yubikey doesn't require it by default, you can easily turn it on).

Asking the pin upon first use and a touch every time is the perfect compromise between security and usability IMO. There's still some weakness around attackers with physical access but they are more easily mitigated.


I don't have any PIN entry at all with FIDO.


But then someone with your key just has direct access?


It's a second factor, not first. This is fine.


But this is not FIDO2 in CTAP (passwordless) mode, which is what the previous poster referred to. It's FIDO1 and it's not supported by default in SSH, only with some PAM plugins.

OpenSSH supports FIDO2 passwordless mode natively in the latest versions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: