Drew Church Profile picture
Oct 4, 2022 15 tweets 6 min read Read on X
We talk about #mfa all over #infosec - but even commodity items like the YubiKey aren't as easy as we need them to be. There's been TONS of progress on the non-IT/Dev user-facing side, but it's very messy elsewhere. Example: SSH Auth. 🧵 1/
3 general approaches to using a security key for SSH: FIDO2, GPG, PIV. Each has pros and cons and levels of supportability. First, let's talk FIDO2. 2/
OpenSSH brought in FIDO2 security key support in Feb 2020 (wow that seems like a decade ago...) in version 8.2. Uptake is still not great across the board. Example: macOS disables even in their latest builds so it doesn't work. developer.apple.com/forums/thread/… 3/
To fix macOS you need to do shenanigans that might or might not affect Keychain and other neat macOS stuff. Buyer beware. I would argue that macOS's developer community is huge, so this is a great place to get it fixed quick. Story is no better on linux. 4/
RHEL7/8 are on less than the required version with those + CentOS (rip) being some of the most popular distributions in the enterprise. Ubuntu does since 20.04 so good on them. So, sup with GPG? 5/
GPG is fun, but also requires 3rd party tooling not available right out of the box. Configuring your hosts to run GPG keys isn't straight forward at all (e.g., developer.okta.com/blog/2021/07/0…) and likely is going to have the private keys accidentally laying all over FS during config 6/
I am also a big @Windows fan, and do a lot of non-work-work on there. GPG on Windows is mixed, and trying to get it running + yubikey + Windows Subsystem for Linux (WSL) is also not for the faint of heart. Check this out if you're curious: thetestspecimen.com/posts/wsl2-yub… 7/
Last? PIV. This is one of those technologies that not many know much about unless they've worked in government/defense circles where they're used extensively. The good news is those places bring lots of money, so support is pretty good for the tech... 8/
PIV Support for UI-native stuff is pretty decent compared to 10 years ago, but CLI is a mess. Lots of identifying the correct PKCS11Provider for your combination of client OS + ssh software. Then making sure you have it set-up to always use that provider with each destination. 9/
This gets very murky on Windows and I had to use a custom SSH agent across all the apps - github.com/buptczq/WinCry…. It also has a hilarious problem for anyone who DOES work in the fed/defense space where you have a PIV/CAC... 10/
OpenSSH has a very good setting (MaxAuthTries) that does exactly what it sounds like - limits authentication attempts. When you have a CAC/PIV + security key with PIV set up, you're going to blow through the default MaxAuthTries and will need to make some ssh_config tweaks. 11/
Not a big deal, but you have to specify the exact public key to use per host and when there are lots you shove it in the default then cannot connect to boxes you haven't set your key up on yet w/o long CLI syntax you always have to look up. 12/
In other words, every single option from FIDO2, GPG, and PIV are just not that great for doing something as simple as #MFA over SSH on the major platforms. This isn't making the security poverty line any better in my mind. (h/t @nohackme / @meansec for that line). 13/
@nohackme @meansec Oh, and I forgot, AWS CLI doesn't support the keys used in FIDO2 either: github.com/aws/aws-sdk/is… 14/
@nohackme @meansec This is a lot of words complaining about my (replacement for lost by UPS) YubiKey, but really it frustrates me that we've come so far (yay!) while we have SO SO SO very far to go to really hit the mark to democratize security and build it in from the ground floor. 15/15

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Drew Church

Drew Church Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(