# Up your SSH security game --- # Why? ## Using ssh keys? <!-- .element: class="fragment" --> ## In your home directory? <!-- .element: class="fragment" --> ## Ever use git, npm, cargo, pip, ...? <!-- .element: class="fragment" --> ## You've got a problem. <!-- .element: class="fragment" --> --- # People are running code on your laptop # You're not auditing it # Passphrase-protected keys can be stolen # Passphrases can be keylogged --- # Something better --- # "U2F/FIDO" USB keys ## Commodity hardware, ~20€+ <!-- .element: class="fragment" --> ## Many small models fit completely inside USB-A ports <!-- .element: class="fragment" --> --- # Can implement public key operations ## RSA and ECDSA widely support, ed25519 on good ones <!-- .element: class="fragment" --> ## Can require PIN and physical touch <!-- .element: class="fragment" --> --- # PIN setup ## Varies from vendor to vendor ## Yubikey uses `ykman fido access change-pin` --- # SSH support ``` $ ssh-keygen -t ed25519-sk -O resident Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: You may need to touch your authenticator again to authorize key generation. Enter file in which to save the key (/var/home/lis/.ssh/id_ed25519_sk): ``` --- # Creates a "resident" key ``` $ ykman fido credentials list Enter your PIN: Credential ID RP ID Username Display name 4603519c... ssh: openssh openssh ``` --- # You get in `~/.ssh`: `id_ed25519_sk` `id_ed25519_sk.pub` ## But the private key is just a pointer --- # If you lose the files...: `ssh-keygen -K` --- # You can also create non-resident keys ## ...and (for the truly paranoid) passphrase protect them. <!-- .element: class="fragment" --> --- # Other options: ## `no-touch-required` ## `write-attestation` ## `verify-required` ## etc. --- # Using the key ``` $ ssh example.org Confirm user presence for key ED25519-SK SHA256:fAxxFFykCijTdrVUUjbbi2TWfCWtOiafhuBhgG7siGg Enter PIN for ED25519-SK key /var/home/lis/.ssh/id_ed25519_sk: Confirm user presence for key ED25519-SK SHA256:fAxxFFykCijTdrVUUjbbi2TWfCWtOiafhuBhgG7siGg User presence confirmed ``` --- # Advantages ## Can't be copied <!-- .element: class="fragment" --><span>(theoretically)</span> <!-- .element: class="fragment" --> ## PIN can't be brute-forced <!-- .element: class="fragment" --><span>(theoretically)</span> <!-- .element: class="fragment" --> ## Touch requirement can't be bypassed <!-- .element: class="fragment" --><span>(theoretically)</span> <!-- .element: class="fragment" --> --- # Disadvantages ## Device firmware is often closed-source <!-- .element: class="fragment" --> ## You need to enter the PIN and touch the key each time <!-- .element: class="fragment" --> ## (you can have ssh-agent cache the PIN or disable touch) <!-- .element: class="fragment" --> ## Can be annoying for git, super annoying for Ansible <!-- .element: class="fragment" --> --- # Workaround for git usage In `~/.config/git/config`: ``` [url "ssh://git@codeberg.org/"] pushInsteadOf = https://codeberg.org/ [url "ssh://git@github.com/"] pushInsteadOf = https://github.com/ ``` --- # Bonus slide: `ssh root@.host` ## (aka: `systemd-ssh-proxy`) ## PIN+touch to become root, no setuid binaries --- # Questions?