Hi
On Mon, Apr 01, 2024 at 12:40:51PM +0200, Ansgar 🙀 wrote:
> For OpenSSH it might also be more convenient to use Webauthn, that is,
> the keys generated using `ssh-keygen -t ed25519-sk` or `-t ecdsa-sk`.
Also those key types allow two different uses. Persistent or
non-persistent keys differ in where parts of the key is stored and
protected.
Persistent keys store the second part on the hardware itself. So you
can extract that part if you know the PIN of the hardware. I for
example have one for access to my emails and irc system.
Non-persistent keys store the second part on the using system, aka your
hard drive. Those files can optionally be protected with a standard SSH
passphrase. You can also have many different keys this way.
But please be aware: resetting the fido part of a yubikey is pretty easy
and will immediatelly make all keys unusable.
Bastian
--
Punishment becomes ineffective after a certain point. Men become insensitive.
-- Eneg, "Patterns of Force", stardate 2534.7
