new-sshagent-work

Prologue

So I got a YubiKey 5C Nano handed to me. Things kinda got out of hand.

Setup

The key is so small that it will just stay in one of my laptop's USB-C ports. I want to use the key for ssh authentication. Step one is to disable OTP because I do not want to spill random strings into my tty every time I touch it by accident:

rcctl -f start pcscd
ykman config usb -d OTP
rcctl -f stop pcscd

Next we create an non-resident ed25519-sk key. That is the key type used for FIDO keys:

ssh-keygen -t ed25519-sk

FIDO keys consist of two parts: a key-handle and a private key. The private key stays on the FIDO token and is combined with the key-handle for signing operations. For a non-resident key the key-handle is stored on disk in the private-key file and is password protected.

/etc/X11/xenodm/Xsession starts ssh-agent(1) and calls ssh-add(1) to add the standard identities to the ssh-agent.

I have to touch the token on every use of the ed25519-sk key.

Assuming the FIDO token works correctly, nobody can steal my private key remotely.

Theo de Raadt (deraadt@) pointed out a problem with the key at rest, when I suspend my laptop I want to remove the key from the agent and re-add it at first use on resume. We were puzzling around with this for a bit at c2k24 but did not make too much progress.

A Triumph in Modern Igoring

Back home I remembered an option that I had to use on my macOS work laptop to make the ssh-agent work correctly: AddKeysToAgent

Having this in /etc/apm/suspend removes all keys from my agent on suspend:

#!/bin/sh

for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
        su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
done

Adding AddKeysToAgent yes as first line to ~/.ssh/config then prompts me for the password of the key on first use and adds it to the ssh-agent again.

Epilogue

This works, but it should really work out of the box per default. This being OpenBSD, you can rest assured that we are working on it. Stay tuned…

Published: 2024-07-16