What does HackerNews think of YubiKey-Guide?

Guide to using YubiKey for GPG and SSH

Language: Shell

#26 in Security
Organizing multiple Git identities | Oct 2023
This was a significant problem for me across a few consulting clients. What ended up making things significantly better for me was doing my SSH over GPG: https://opensource.com/article/19/4/gpg-subkeys-ssh This way, I can create and delete GPG subkeys all I want, export the SSH files for upload to a client's system. When it comes time to authenticate, I only ever have to unlock a single secret, which in my case is my GPG keys on my Yubikey devices: https://github.com/drduh/YubiKey-Guide
Ask HN: Why does YubiCo need my private key? | Sep 2023
I'd recommend using the Yubikey as a GPG smartcard[1]. The private key stays on the Yubikey. I also use it for ssh. But make sure you have a backup key or two, just in case the primary Yubikey gives out. FIDO2 and all other regular Yubikey functionality still work with it.

[1]: https://github.com/drduh/YubiKey-Guide

An Opinionated Yubikey Set-Up Guide | Sep 2023
The excellent guide by drduh should be mentioned here: https://github.com/drduh/YubiKey-Guide — I've been using this approach for years to store my OpenPGP keys on Yubikeys and use them for SSH.

I don't generate my keys on devices. That lets me be flexible and keep backups, as well as use the same keys on multiple physical devices. Using a single yubikey is a bad idea, as you're bound to eventually lose it or break it. Hasn't happened to me yet in 5 years, but I expect it to happen.

I wish more sites supported hardware keys instead of only TOTP tokens, or (heaven forbid, but corporate idiocy is plentiful) SMS.

OpenPGP master key on Nitrokey Start | Mar 2023
If you are looking to do something similar with a Yubikey check out https://github.com/drduh/YubiKey-Guide for getting started.

It is by far the most comprehensive guide on using a YubiKey as a SmartCard for storing GPG keys. I used this a few years ago and it helped clear up any confusion I had about getting the most out of my Yubikey 5 NFC.

Secretive: Store SSH Keys in the Secure Enclave | Mar 2023
Expand Context ↕
There's a fairly excellent guide on creating a robust key system here: https://github.com/drduh/YubiKey-Guide. Primary and backup Yubikey for use, offline cert keys, and paper backups.

If you're wanting to protect things further you can also also split your backups via a secret sharing scheme (like http://point-at-infinity.org/ssss/) and distribute the fragments to people or places your at least partially trust.
Passwordless authentication with FIDO2–beyond just the web | Feb 2023
Expand Context ↕
I haven't tried using the GPG mode on mobile, but I've had absolutely 0 issues with it on Linux. Just followed the arch wiki setup and this random guide I found: https://github.com/drduh/YubiKey-Guide. I use it daily to ssh into hosts and sign git commits.

On Windows, it's a bit more involved, of course, especially for SSH. I seem to remember that I did find at one point some hack which allowed ssh to use the GPG agent. Since I only rarely use Windows, I didn't care enough to test it through. Code signing seems to work well enough. SmartCard emulation also works well enough, but it does seem to conflict with some other mode, either U2F or GPG, can't remember which. You have to un/replug the key to switch modes.

I am also quite... surprised at Firefox's apparent lack of priority for supporting CTAP2. I've seen there are long-open bugs, but not that much interest. My understanding is that on macos and windows, it delegates the user verification to the os, and on linux there isn't anything for that. FWIW, chrome seems fine with implementing their own.
Russhian Roulette: 1/6 chance of posting your SSH private key on pastebin | Jan 2023
Expand Context ↕
You can check this guide: https://github.com/drduh/YubiKey-Guide