Hoshino Lina (ζ˜ŸδΉƒγƒͺγƒŠ) 🩡 3D Yuri Wedding 2026!!! @lina@vt.social
Public

Git security tip!

You might know that you can use a Yubikey or similar hardware key to store your SSH key... but forges like GitHub identify you by your public key, so you can only secure access to one GitHub account with a single key... not!

If you use ed25519-sk keys, you can have as many as you want!

The traditional OpenPGP Card setup can only store a few keys per YubiKey (only one of which is usually set up for signing/authentication), but using the newer FIDO2 ed25519-sk flow, the keys are stored "wrapped" outside your token so you can have an unlimited number.

There's a small catch though: With OpenPGP you can secure your key with a PIN/password verified on the token, and enter the PIN once to unlock it on first use, then just touch it for every authentication (until disconnect or reboot).

With ed25519-sk you can either require a PIN every time, or not at all.

You can still encrypt the "wrapped" key on your computer (that's what the new passphrase that ssh-keygen asks for does), but then that passphrase is checked on the computer so there's no attempt limit.

My personal hack is to use both. Encrypt the ed25519-sk private token with OpenPGP, cache it only in RAM when loading it into ssh-agent.

I wish FIDO2 had a "cached PIN/persistence" mode though! ;;

Edit: I'm being told resident mode can do what I want but it didn't work when I tried it... will update if I figure it out!

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://vt.social/users/lina/statuses/116044739837449072 on your instance and quote it. (Note that quoting is not supported in Mastodon.)