add key from yubikey for <sec> seconds : ssh-add -K -t <sec>
generate key on yubikey (+ save on PC during operation, don't forget to save public key ! private one is on the yubikey with "-O resident", useless with "-sk") : ssh-keygen -t ed25519-sk -O resident -O application=ssh:YourTextHere -O verify-required
login with yubikey : vous n'imaginez pas le bonheur de se connecter sans mots de passe !!!
scp -i .ssh/id_ecdsa .ssh/id_ed25519_sk.pub nothing2do.eu@ssh-nothing2do.eu.alwaysdata.net:~/yubikey.pub : copy local key ed25519.pub to yubikey.pub on alwaysdata server using id_ecdsa to authenticate
protect sudo with yubikey : protection complete (sans la yubikey, il me demande même le mots de passe !), enregistrer une yubikey pour se loguer : "pamu2fcfg -n >> ~/.config/Yubico/u2f_keys"
1. Configure your YubiKey to use challenge-response mode
"$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible"
2. Find a free LUKS slot to use for your YubiKey
"$ lsblk $ sudo cryptsetup luksDump /dev/nvme0n1p3"
sudo yubikey-luks-enroll -d /dev/nvme0n1p3 -s 1
/etc/crypttab : nvme0n1p3_crypt UUID=[uuid-here] none luks,discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
/etc/ykluks.cfg : YUBIKEY_CHALLENGE="[your new passphrase here]"
sudo update-initramfs -u
"best" help site Yubikey Manager (ykman, from yubico) protect sudo with yubikey :
- Se connecter ou s'inscrire pour publier un commentaire