artem/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clarify FIDO2 key limitations

Browse Source
This commit is contained in:
Artem Sheremet
2026-05-14 13:59:11 +02:00
parent 231a769de5
commit 031eab1b27
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@@ -68,7 +68,9 @@ Risks taken (disclaimer):
Instead of PIV, we use FIDO2 slots on Yubikey to generate resident (i.e. Instead of PIV, we use FIDO2 slots on Yubikey to generate resident (i.e.
stored solely on Yubikey itself) SSH keys using modern OpenSSH client built-in stored solely on Yubikey itself) SSH keys using modern OpenSSH client built-in
FIDO2 support. This doesn't need an agent or a background daemon. FIDO2 support. This doesn't need an agent or a background daemon. The lack of
agent however means that these keys can not be forwarded to remote host for
further SSH, Git signing or push.
To generate a new key: To generate a new key:
@@ -103,8 +105,9 @@ Host deimos
### Commit signing ### Commit signing
Use SSH keys (from Apple SE and Yubikey) to sign commits. Make sure to generate Use SSH keys (from Apple SE and Yubikey) to sign commits. Make sure to generate
a different set of keys for signing than the one you use for authentication. Add a different set of keys for signing than the one you use for authentication, to
`-O application=ssh:git-signature` to mark the key for signing (personal decouple authentication from authorization and reduce key leakage blast radius.
Add `-O application=ssh:git-signature` to mark the key for signing (personal
convention). convention).
### AGE encryption ### AGE encryption