search

automotiveMastermind / prompt

A spectacular prompt for *nix distributions.
MIT License
9 stars 6 forks source link

macOS: security keys -- how do we want to support them? #65

Open dmccaffery opened 4 years ago

dmccaffery commented 4 years ago

The macOS ssh-agent does not support security key algorithms (ed25519-sk and ecdsa-sk) out of the box. We currently support yubikeys by configuring the PGP module within the ssh-agent, but this requires the use of the aging rsa algorithm.

We have a few options:

  1. keep it the way it is for now and hope that macOS adds future support for sk algos
  2. We could support yubikeys via fido by disabling the default ssh-agent and replacing it with OpenSSH > 8.2, which has native support for sk algos -- this would bring macOS in line with our linux counterparts

I'd like to know what others think. Is anyone else using security keys besides me?

patrickserrano commented 4 years ago

@dmccaffery are there any obvious downsides to replacing the ssh-agent?

Apple seems to have a history of letting the built-in cli tools lag. So I'm hesitant to say we should continue to use a less secure algorithm in the hopes Apple will ship support soon.

dmccaffery commented 4 years ago

@dmccaffery are there any obvious downsides to replacing the ssh-agent?

Apple seems to have a history of letting the built-in cli tools lag. So I'm hesitant to say we should continue to use a less secure algorithm in the hopes Apple will ship support soon.

Apple lags due to licensing restrictions on the upstreams. Not sure why OpenSSH is lagging behind, specifically; other then it works for their use cases around Xcode as a development platform.

I'm all for replacing the built-ins; just wanted to get everyone's opinions.

sjk07 commented 3 years ago

I am not currently using a security key... although I have thought about getting one a bunch of times

I do think security is important. If we are willing to support them for the time being (one of us have a vested use-case) then we should implement something that can and will work now.

dmccaffery commented 3 years ago

I might have time this weekend to work on a POC to see what this looks like on macOS -- see what others think once implemented. @sjk07 : you should definitely get a key -- I use this guide (mostly): https://github.com/drduh/YubiKey-Guide

sjk07 commented 3 years ago

I ended up folding and buying a Yubikey or two 😜

Ill follow the above; lets find a way to support this correctly

github-actions[bot] commented 3 years ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

sjk07 commented 3 years ago

Bumping this, I have a key but have not setup anything via terminal; i think this would be an awesome thing to have.