yubikey

YubiKey at Datadog
授权协议 MIT License
开发语言 SHELL
所属分类 应用工具、 终端/远程登录
软件类型 开源软件
地区 不详
投 递 者 越英韶
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

YubiKey at Datadog

Summary

GPG is useful for authenticating yourself over SSH and / or GPG-signing yourgit commits / tags. However, without hardware like theYubiKey, you wouldtypically keep your GPG private subkeys in "plain view" on your machine, evenif encrypted. That is, attackers who personally target[1,2,3,4] youcan compromise your machine can exfiltrate your (encrypted) private key, andyour passphrase, in order to pretend to be you.

Instead, this setup lets you store your private subkeys on your YubiKey.Actually, it gives you much stronger guarantees: you cannot authenticate overSSH and / or sign GPG commits / tags without: (1) your YubiKey plugged in andoperational, (2) your YubiKey PIN, and (3) touching your YubiKey. So, even ifthere is malware trying to get you to sign, encrypt, or authenticate something,you would almost certainly notice, because your YubiKey will flash, asking foryour attention. (There is the "time of check to time ofuse" issue,but that is out of our scope.)

Estimated burden and prerequisites

About 2-3 hours. 15 minutes could save you 15% or more on cybersecurityinsurance.

You will need macOS with Homebrew / Ubuntu / Archlinux, a password manager, and aYubiKey 5.

U2F

STRONGLY recommended: configure U2F forGitHubandGoogle.

GPG

Please read and follow all of the instructions carefully.

$ ./gpg.sh

(Protip: set TEMPDIR=1 when preparing YubiKey for someone else to avoidpolluting your default GPG homedir.)

git

STRONGLY RECOMMENDED: signing your git commits and tags.

You must first set up GPG.

Then, to sign git commits and tags for a particular repository:

$ ./git.sh /path/to/git/repository

Or, to sign git commits and tags for all repositories:

$ ./git.sh

SSH

NOT recommended unless you plan to use your GPG authentication subkey asyour only SSH authentication key.

You must have first set up GPG. Then:

$ ./ssh.sh

## Reset

If you need to reset YubiKeys, you may use the following script. The script looks for every plugged YubiKey,
and shows a menu to reset one specific key, or all of them.
**Please read and follow all of the instructions carefully. YOU WILL NOT BE ABLE TO RETRIEVE KEYS/DATA FROM THE YUBIKEY AFTER COMPLETION.**

```bash
$ ./reset.sh

Troubleshooting

Go here for troubleshooting common issues such as unblocking a blocked card, error when pulling or pushing with git over SSH, and rebasing with git.

Optional

Go here for support on optional bits such as Keybase, VMware Fusion, Docker Content Trust, signing for different git repositories with different keys, and configuring a computer to use an already configured YubiKey.

References

  1. YubiKey Handbook

  2. A Git Horror Story: Repository Integrity With Signed Commits

  3. Welp, there go my Git signatures

  4. [Bitcoin-development] PSA: Please sign your git commits

  • 本文转载自:https://green-m.github.io/2018/08/28/secure-system-with-yubikey/,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有。 0x00 前言 最开始了解到 yubikey 是因为和一个朋友聊到 PGP 的问题,我觉得 PGP 保存私钥很麻烦,换一个环境或者电脑被搬走的话还是存在一些风险的,放云上就更加不用说了。然后他就

  • 前言 YubiKey是什么东西我就不多说,简单的说是一种用来保存私钥的硬件设备,私钥一旦写入就无法读出,比起保存在硬盘里的私钥文件,更安全。前段时间入手一个YubiKey 5 NFC,最近一直在研究怎么用来登录SSH。 需求 我手上已经有了一个SSH密钥对用来管理着几十台Linux服务器,,在Yubikey Mmanager -> PIV中只能重新生成密钥对,并且无法导出私钥,然而我不想更换的我的

  • 前言 YubiKey是个挺好的东西,很方便实现加密、签名、认证等功能,就是国内太贵,TB上YubiKey 5 NFC 售价 ¥355,官网也还要$45,挺贵的。 发现 今天逛清华大学开源站的时候意外发现了这个: 金枪鱼之夜:从 YutriKey 到 CanoKey | 清华大学 TUNA 协会 很多人都在找 YubiKey 的替代品,知名 TUNA 成员 cqtest 曾经分享过一种使用 Java

  • The YubiKey NEO The YubiKey line of hardware one-time-password (OTP) generators has been on the market for a few years now—in 2010, we looked at the earlier generation of devices when support for them

相关阅读

相关文章

相关问答

相关文档