Edit 2023-03-03: This is now written in long-form at https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/
The original version is retained below.
ykman
from theyubikey-manager
package- libykcs11 from the
yubico-piv-tool
package
. { | |
forward . tls://2a07:a8c0::ae:9cfd tls://2a07:a8c1::ae:9cfd tls://45.90.28.178 tls://45.90.30.178 8.8.8.8 8.8.4.4 { | |
tls_servername dns01-ae9cfd.dns.nextdns.io | |
policy sequential | |
} | |
cache { | |
success 12800 86400 300 | |
denial 12800 | |
prefetch 25 | |
serve_stale 24h |
{ config, pkgs, ... }: | |
{ | |
environment.etc = { | |
"ssh/ca.pub".text = '' | |
ssh-rsa ... | |
''; | |
}; | |
services.openssh.extraConfig = |
Edit 2023-03-03: This is now written in long-form at https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/
The original version is retained below.
ykman
from the yubikey-manager
packageyubico-piv-tool
package<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key> | |
<string>net.jamesog.takeabreak</string> | |
<key>Program</key> | |
<string>/usr/bin/say</string> | |
<key>ProgramArgs</key> | |
<array> |
#!/bin/sh | |
# | |
# PROVIDE: tailscaled tailscale | |
# REQUIRE: NETWORKING | |
. /etc/rc.subr | |
name="tailscaled" | |
rcvar="${name}_enable" |
All other guides I've seen (https://github.com/drduh/YubiKey-Guide being the most prolific) tell you to use the Yubikey's smartcard (PKCS#11) features with GnuPG via gpg-agent.
STOP THE MADNESS!
OpenSSH has supported OpenSC since version 5.4. This means that all you need to do is install the OpenSC library and tell SSH to use that library as your identity.
package main | |
import ( | |
"context" | |
"database/sql" | |
"log" | |
"net/http" | |
_ "github.com/lib/pq" | |
) |
#!/bin/sh | |
# siteadmin.sh | |
# Created 2005/01/07 by James O'Gorman <james@netinertia.co.uk> | |
# | |
# This script automatically creates directory structures and config file | |
# entries needed for a new website. | |
# It can also be used to clean up (remove) those entries when a website is | |
# no longer needed. | |
# |
Copyright (c) 1992-2014 The FreeBSD Project. | |
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 | |
The Regents of the University of California. All rights reserved. | |
FreeBSD is a registered trademark of The FreeBSD Foundation. | |
FreeBSD 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015 | |
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 | |
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 | |
CPU: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz (2500.08-MHz K8-class CPU) | |
Origin = "GenuineIntel" Id = 0x306f2 Family = 0x6 Model = 0x3f Stepping = 2 | |
Features=0xf8bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,SS> |