Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

README: update ssh pitfalls for sk-ssh-* keys and update mine. #163

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

Janik-Haag
Copy link
Member

I updated the README.md ssh-key part and decided to swap to a separate ssh-key for not trusted builders so I updated my key aswell. Sorry for the trouble.

@Janik-Haag Janik-Haag changed the title README: update ssh pitfalls for sk-ssh-* keys README: update ssh pitfalls for sk-ssh-* keys and update mine. Aug 10, 2023

> unable to open SSH connection to
> 'ssh://[email protected]': cannot connect to
> '[email protected]'; trying other available
> machines...

You should also avoid keys generated with u2f-devices (f.e. yubikeys) like a sk-ssh-ed25519 since you have to press the presence button for every single package build on a remote server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC this isn't an issue if ControlMaster/ControlPersist ssh settings are used?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It didn't work when setting them in my user ssh config, it might work when setting it system wide or for the root user, I can try that if you want me to.

@emilylange
Copy link
Member

Hope I can provide some useful input:

You can generate FIDO ssh keys (sk-ssh-*), with the no-touch-required flag -- which, as the name suggestions, do not require presence checks but instead just need the device to be plugged in.

e.g. ssh-keygen -t ed25519-sk -O no-touch-required
and then prefix the public key with no-touch-required in the authorized_keys file.
e.g. no-touch-required [email protected] <...>

I am using keys like that for remote nix stuff in a few places.

See https://man.openbsd.org/ssh-keygen.1#no-touch-required~2
and https://man.openbsd.org/sshd.8#no-touch-required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants