Re: Resident keys?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Feb 18, 2020, at 12:46 AM, Gabriel Kihlman <gk@xxxxxxxx> wrote:
>> I tried using “change-pin” in yubico-piv-tool, but that didn’t seem to
>> make a difference. I still got the same error after successfully
>> changing the PIN.
> 
> That PIN is for the PIV application on the yubikey.
> 
> Use "ykman fido set-pin" instead using the Yubikey Manager.


Ah - that was it, thanks very much!

After setting the PIN this way, I was able to get “ssh-keygen -K” and “ssh-add -K” to work, and was also about to use “ykman fido list” to see the list of installed resident keys.

With OpenSSH, is there a way to use a resident key without actually reading it out of the token if you provide the username and application to identify which key you want to use, or do you need to actually provide the PIN every time? I understand you can use ssh-agent to mitigate this and only provide the PIN when loading the keys into the agent, but generally that would still mean providing the PIN every time you signed on to the machine running the SSH client. I’m just wondering if there are any options to be able to use  a key with only physical access to it.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux