Use HCL, not YAML.
# Ensure blocks group actions
ensure "Foo service" {
package "foo" {
{ config, pkgs, ... }: | |
{ | |
environment.etc = { | |
"ssh/ca.pub".text = '' | |
ssh-rsa ... | |
''; | |
}; | |
services.openssh.extraConfig = |
#!/bin/sh | |
# | |
# PROVIDE: tailscaled tailscale | |
# REQUIRE: NETWORKING | |
. /etc/rc.subr | |
name="tailscaled" | |
rcvar="${name}_enable" |
All other guides I've seen (https://github.com/drduh/YubiKey-Guide being the most prolific) tell you to use the Yubikey's smartcard (PKCS#11) features with GnuPG via gpg-agent.
STOP THE MADNESS!
OpenSSH has supported OpenSC since version 5.4. This means that all you need to do is install the OpenSC library and tell SSH to use that library as your identity.
Edit 2023-03-03: This is now written in long-form at https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/
The original version is retained below.
ykman
from the yubikey-manager
packageyubico-piv-tool
package. { | |
forward . tls://2a07:a8c0::ae:9cfd tls://2a07:a8c1::ae:9cfd tls://45.90.28.178 tls://45.90.30.178 8.8.8.8 8.8.4.4 { | |
tls_servername dns01-ae9cfd.dns.nextdns.io | |
policy sequential | |
} | |
cache { | |
success 12800 86400 300 | |
denial 12800 | |
prefetch 25 | |
serve_stale 24h |