Feature request – integrate U2F / FIDO2 into gpg-agent for use as ssh-agent
There is some discussion of using yubikey for FIDO with ssh, but not using the crypto card function
https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-sec...
Which, if you read the comments, I consider to be retrograde. Apart from Google Chrome, there's not a lot of support for FIDO2 out there. Is it possible to get this on a roadmap somewhere? My argument is that the use of the yubikey with gpg-agent as the ssh-agent already has 3 factors – a PIN (actually a passphrase) to unlock the card – the private key is kept in the device itself – you can program the yubikey to require a touch for signing and decryption.
Is this remotely feasible?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Luke Le on 10 Jul, 2020 07:58 AM
Hi Michael,
I do believe that this might in fact be already possible.
Did you come across this article in your research?
https://zeos.ca/post/2018/gpg-yubikey5/
Hope that helps.
2 Posted by George Wayne on 10 Jul, 2020 09:52 AM
You would be better off to switch from gpg-agent to FIDO2 U2F authentication. The author in this blog post clearly points out the benefits.
Support Staff 3 Posted by Luke Le on 20 Jul, 2020 04:05 PM
Hi Michael,
in addition it appears that this is now supported out-of-the-box by SSH itself using YubiKey: https://buttondown.email/cryptography-dispatches/archive/cryptograp...
Steve closed this discussion on 30 Jul, 2020 01:03 PM.