new-sshagent-work

So I got a YubiKey 5C Nano handed to me. Things kinda got out of hand.

The key is so small that it will just stay in one of my laptop's USB-C ports. I want to use the key for ssh authentication. Step one is to disable OTP because I do not want to spill random strings into my tty every time I touch it by accident:

rcctl -f start pcscd
ykman config usb -d OTP
rcctl -f stop pcscd

Next we create an non-resident ed25519-sk key. That is the key type used for FIDO keys:

ssh-keygen -t ed25519-sk

FIDO keys consist of two parts: a key-handle and a private key. The private key stays on the FIDO token and is combined with the key-handle for signing operations. For a non-resident key the key-handle is stored on disk in the private-key file and is password protected.

/etc/X11/xenodm/Xsession starts ssh-agent(1) and calls ssh-add(1) to add the standard identities to the ssh-agent.

I have to touch the token on every use of the ed25519-sk key.

Assuming the FIDO token works correctly, nobody can steal my private key remotely.

Theo de Raadt (deraadt@) pointed out a problem with the key at rest, when I suspend my laptop I want to remove the key from the agent and re-add it at first use on resume. We were puzzling around with this for a bit at c2k24 but did not make too much progress.

Back home I remembered an option that I had to use on my macOS work laptop to make the ssh-agent work correctly: AddKeysToAgent

Having this in /etc/apm/suspend removes all keys from my agent on suspend:

#!/bin/sh

for a in $(find /tmp -user florian -path '/tmp/ssh-*' -name 'agent.*'); do
        su florian -c "SSH_AUTH_SOCK=$a ssh-add -Dq"
done

Adding AddKeysToAgent yes as first line to ~/.ssh/config then prompts me for the password of the key on first use and adds it to the ssh-agent again.

This works, but it should really work out of the box per default. This being OpenBSD, you can rest assured that we are working on it. Stay tuned…