136 private links
The new "Simple standalone #SSH Agent for #OpenPGP cards" (https://crates.io/crates/openpgp-card-ssh-agent) is now available as a package for #Arch Linux, by the way :arch: 😏
This agent offers a frictionless UX when using ssh with keys that are stored on OpenPGP card devices: No more ongoing PIN entry required! 🚀
@dvzrv has once again done amazing packaging and documentation work! 🥳 Thank you 😃
See https://wiki.archlinux.org/title/SSH_keys#OpenPGP_card_ssh-agent for details.
Some authentication means are more secure than others: using a hardware device designed to store a private key without making it possible to ever extract it is more secure than storing the private key in a file. Unfortunately the most secure ones are also more painful to use. Users who have their keys on a device need to carry the device with them, need to type their PIN code every time they initiate a SSH session, etc. This makes it quite difficult to advocate ways more secure than passwords and files for use cases where the security of the access is not the priority.
So the question is: is it possible to store the authentication material more securely than in a file (which can be stolen by some malware), without changing the user experience?
And the answer is: yes, using a TPM!
YubiKeys are hardware security keys that provide One Time Pads (OTP), namely U2F (Universal 2nd Factor) cryptographic tokens through a USB and/or NFC interface. This means you have to explicitly authorize a new SSH session by tapping the YubiKey. The private SSH key, which is normally on your SSD or cloud instance, should be useless to a malicious user who does not have access to the physical YubiKey on which the second private key is stored.
Configuring 2FA (Two Factor Authentication) with YubiKeys on SSH sessions is ideal for bastion hosts, also known as stepping stone servers that connect to your VPC (Virtual Private Cloud).
In simple words, ssh-audit is a tool for ssh server and client auditing. For example, you can use this tool:
Scan for OpenSSH server and client config for security issues
Make sure the correct and recommended algorithm is used by your Linux and Unix boxes
Check for OpenSSH banners and recognize device or software and operating system
Lookup for ssh key exchange, host-keys, encryption, and message authentication code algorithms
Alert developers and sysadmin about config issues, weak/legacy algorithms, and features used by SSH
Historical information from OpenSSH, Dropbear SSH, and libssh
Policy scans to ensure adherence to a hardened/standard configurationGuardian Agent (now in beta) allows users to securely empower remote hosts to take actions on their behalf, using their SSH credentials. It allows Mosh and SSH users to enable agent forwarding for every connection, even to hosts they may not fully trust.
Guardian Agent is an alternative to traditional ssh-agent forwarding, which can only safely be enabled when connecting to trusted hosts. The traditional ssh-agent protocol doesn't give the agent information about which host is asking to perform a command on the user's behalf, which server that hosts wants to connect to, or which command the host wants to perform:
Include
Include the specified configuration file(s). Multiple pathnames may be specified and each pathname may contain glob(3) wildcards and, for user configurations, shell-like
``~'' references to user home directories. Files without absolute paths are assumed to be in ~/.ssh if included in a user configuration file or /etc/ssh if included from
the system configuration file. Include directive may appear inside a Match or Host block to perform conditional inclusion.
I had my Include statement trailing a Host directive so it was being included into that Host's config.
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly authorise
operations by touching or tapping them.