We talk about #mfa all over #infosec - but even commodity items like the YubiKey aren't as easy as we need them to be. There's been TONS of progress on the non-IT/Dev user-facing side, but it's very messy elsewhere. Example: SSH Auth. 🧵 1/

3 general approaches to using a security key for SSH: FIDO2, GPG, PIV. Each has pros and cons and levels of supportability. First, let's talk FIDO2. 2/

OpenSSH brought in FIDO2 security key support in Feb 2020 (wow that seems like a decade ago...) in version 8.2. Uptake is still not great across the board. Example: macOS disables even in their latest builds so it doesn't work. developer.apple.com/forums/thread/… 3/

To fix macOS you need to do shenanigans that might or might not affect Keychain and other neat macOS stuff. Buyer beware. I would argue that macOS's developer community is huge, so this is a great place to get it fixed quick. Story is no better on linux. 4/

RHEL7/8 are on less than the required version with those + CentOS (rip) being some of the most popular distributions in the enterprise. Ubuntu does since 20.04 so good on them. So, sup with GPG? 5/

GPG is fun, but also requires 3rd party tooling not available right out of the box. Configuring your hosts to run GPG keys isn't straight forward at all (e.g., developer.okta.com/blog/2021/07/0…) and likely is going to have the private keys accidentally laying all over FS during config 6/

I am also a big @Windows fan, and do a lot of non-work-work on there. GPG on Windows is mixed, and trying to get it running + yubikey + Windows Subsystem for Linux (WSL) is also not for the faint of heart. Check this out if you're curious: thetestspecimen.com/posts/wsl2-yub… 7/

Last? PIV. This is one of those technologies that not many know much about unless they've worked in government/defense circles where they're used extensively. The good news is those places bring lots of money, so support is pretty good for the tech... 8/

PIV Support for UI-native stuff is pretty decent compared to 10 years ago, but CLI is a mess. Lots of identifying the correct PKCS11Provider for your combination of client OS + ssh software. Then making sure you have it set-up to always use that provider with each destination. 9/

This gets very murky on Windows and I had to use a custom SSH agent across all the apps - github.com/buptczq/WinCry…. It also has a hilarious problem for anyone who DOES work in the fed/defense space where you have a PIV/CAC... 10/

OpenSSH has a very good setting (MaxAuthTries) that does exactly what it sounds like - limits authentication attempts. When you have a CAC/PIV + security key with PIV set up, you're going to blow through the default MaxAuthTries and will need to make some ssh_config tweaks. 11/

Not a big deal, but you have to specify the exact public key to use per host and when there are lots you shove it in the default then cannot connect to boxes you haven't set your key up on yet w/o long CLI syntax you always have to look up. 12/

In other words, every single option from FIDO2, GPG, and PIV are just not that great for doing something as simple as #MFA over SSH on the major platforms. This isn't making the security poverty line any better in my mind. (h/t @nohackme / @meansec for that line). 13/

@nohackme @meansec Oh, and I forgot, AWS CLI doesn't support the keys used in FIDO2 either: github.com/aws/aws-sdk/is… 14/

@nohackme @meansec This is a lot of words complaining about my (replacement for lost by UPS) YubiKey, but really it frustrates me that we've come so far (yay!) while we have SO SO SO very far to go to really hit the mark to democratize security and build it in from the ground floor. 15/15