Post AUHclMaeKivEdFZwPI by parkr@fosstodon.org
 (DIR) More posts by parkr@fosstodon.org
 (DIR) Post #AUHclLnNHvVUAQWabQ by parkr@fosstodon.org
       2023-04-01T19:32:18Z
       
       0 likes, 0 repeats
       
       I want to 2FA my ssh servers (pi armhf & Linux amd64). Any recommendations on how to get started? 2FA would ideally be ssh key + Yubikey, Mac TouchID, or iPhone FaceID.
       
 (DIR) Post #AUHclMaeKivEdFZwPI by parkr@fosstodon.org
       2023-04-03T14:19:10Z
       
       0 likes, 0 repeats
       
       I was able to setup a Yubikey SSH key (thanks @omenos!) but decided against deploying it. Instead, I have:- macOS with Secretive, which stores my SSH key in the Secure Enclave and requires Touch ID or confirmation from my watch to use- iOS with Termius’s Biometric Key, which stores a different SSH key in its Secure Enclave and requires Touch ID to use. My iOS device uses an alphanumeric passcode to make it harder to override by shoulder surfing.
       
 (DIR) Post #AUHclNHtjvW6nNoTom by parkr@fosstodon.org
       2023-04-03T14:22:15Z
       
       0 likes, 0 repeats
       
       The Yubikey SSH setup had many options. I had chosen non-discoverable keys with FIDO2, but the UX for me was too poor for me since my Yubikey isn’t always in-hand.The Secure Enclave isn’t really a second factor since it can’t be separated from each device, but it is at least harder to exfiltrate and/or use without owning the entire machine. A random program I’m running from the internet can’t just grab my keys and run as they could before.
       
 (DIR) Post #AUHclNslWr0Wdj3vHc by filippo@abyssdomain.expert
       2023-04-03T14:34:55Z
       
       0 likes, 1 repeats
       
       @parkr Secretive is excellent, but I’m curious if you tried yubikey-agent. It’s specifically made to improve the UX of Yubikeys with ssh.