Yubikey support through USB-C

[jwr]

On the new iPad Pro, there is a USB-C port. If it exposes HID, it might be possible to support Yubikeys and other similar devices (like smartcards).

On a Mac or Linux, I use the GPG keys stored on a Yubikey for SSH authentication. This is very secure and works well. I would love to use the same setup on an iPad.

Specifically, I'd like to have Blink with a built-in gpg-agent which supports smartcards and yubikeys, to get a setup like this: https://github.com/drduh/YubiKey-Guide

[yury]

Did research on iOS API and could find anything that gives access to usb flash drive. May be apple can give access to certified partners (works with iPhone).

If you find any app that could read flash drive in app store, please let me know.

[jwr]

Hmm, but why would you need usb flash drive (storage) access? From what I understand, the YubiKey is a HID device, and since third-party USB keyboards work great, perhaps it could be made to work as well.

[yury]

Hi @jwr,

Yep, totally didn't understand how it works from the start. Sorry.

But they don't ship to Russia :(

[jwr]

Hmm, their website says they have a distributor in Russia: https://www.yubico.com/store/resellers/

[treyharris]

Just some ancillary info that may be helpful here:

For discussion of the general issue of what the USB-C port makes possible, see this post on the Yubikey subreddit.

Apparently for OTP, it can work without specific support because it implements the keyboard HID. This should already work for Blink, but is not the kind of usage discussed in the GPG/SSH doc linked in the OP. That usage requires FIDO bidirectional communication.

For its Titan Key suporting U2F, Google makes an iOS app called Smart Lock — the existence of this app suggests that Apple-blessed apps can access the necessary external resources.

The Yubikey demo site will let you test OTP, FIDO and other protocols on various devices. A link that's been hidden a bit points to their page for testing U2F.

Hope some of this background helps.

[yury]

Status update:

I got keys (thanks @carloscabanero). We need special sdk from Yubikey to be able to do smth with them. We send request, but no response yet.

[ltning]

@yury I don't think you need a special SDK in order to use the OpenPGP card. Plain GnuPG (1 or 2, with 2 preferred) should be able to talk to it. The U2F, OTP, etc. parts are not interesting for SSH key support. Use ykpersonalize on a computer to set it to the correct USB mode, use gnupg to create or load a key. Note that you either have to place the PUBLIC key at some internet-reachable URL and edit the key (gpg --card-edit) to stick that URL on the yubikey itself, OR have a facility to load that public key on the iDevice. The public key DOES NOT automatically follow the YK, only the private key is stored there.

[jwr]

I could contribute a little money each month to the development of YubiKey+OpenPGP support for Blink. Is there a way to do this?

[Harwood]

https://www.yubico.com/product/yubikey-5ci

Last week Yubico launched the 5Ci with Lightning and USB-C support.

[yury]

I have submitted application for SDK once more time.

[yury]

Current status

[jwr]

So, what next? Did you try to appeal? Should we all start writing annoyed E-mails to YubiKey?

[RyanMorash]

Yubico’s iOS SDK is available at https://github.com/Yubico/yubikit-ios You just need to contact them to have Apple whitelist the app. However it does mention in the FAQ that “ The USB-C type iOS devices, such as the iPad Pro 3rd generation, have limited support when using the YubiKey 5Ci or another type of YubiKey with USB-C connector. The OS is not officially supporting external accessories on these devices.“

[ltning]

Which yubikey is used is not important. Any of them with openPGP support will work the same way; difference being only that you'll need the lightning-to-usb or c-to-a dongle. So please don't get hung up on the yubikey model - and the sdk is probably not required either. GnuPG with libusb and its plain cud support has all you need. The sdk is probably only needed if libusb isn't permitted - and even then I'm not sure it's useful.

[mahnouel]

Is this still being looked into?

[udf2457]

https://www.yubico.com/product/yubikey-5ci .... please please please.

Thank you. ;-)

The specs state " Smart Card capabilities" which I guess means pkcs11 which therefore means SSH support should be perfectly feasible.

[okdas]

This is an important feature for me.

@yury does access to the YubiKey partner portal provides any value or is necessary? We surely can try to bother them to be heard if the lack of access is the dealbreaker.

Again, thank you for such an amazing product.

[LovingMelody]

I would also like to see this, or just gpg key support in general, as this is what I primarily use for SSH

[jwr]

The upcoming YubiKey 5C NFC makes this even more interesting. Things should start moving faster now that Apple started supporting WebAuthN in iOS 13 and hardware devices like YubiKey should start becoming more popular.

So, is anybody actually working on anything related to Blink with a built-in gpg-agent which supports smartcards and yubikeys?

[treyharris]

But iPads don’t have NFC at all, do they?

[jwr]

No, they don't. But they do have a USB-C port, so a YubiKey 5C NFC will work with both an iPad (through USB-C), hopefully for Blink using gpg-agent (and WebAuthN elsewhere), and with an iPhone via NFC for WebAuthN. This is a very compelling 2FA solution.

[neffs]

USB-C iPads probably don't fully support the Yubikey 5Ci, have a look at the FAQs here: https://github.com/Yubico/yubikit-ios

Full functionality only via Lightning and NFC.

[udf2457]

But iPads don’t have NFC at all, do they?

I suppose the idea is that you're not exactly going to be tapping your iPad against a card reader in Starbucks to buy your coffee. ;)

[yury]

@neffs, I don't know how I missed it.

I need to make some experiments. But with yubikit-ios RAW commands and ObjectivePGP we can add PGP support to our ssh-agent.

[yury]

Playing with demo app.

• on iPhone 11 - ok
• on iPad PRO 11"

[neffs]

Probably easier to just use Yubikit raw directly from libssh2 / ssh-agent. We only need the authentication key. ObjectivePGP doesn‘t support smartcards yet.

[yury]

@neffs, as far as i'm understanding, I need to convert PGP key to sshkey. Still researching... If you have any good links - please share.

[carloscabanero]

I’m taking over this. I’ve been working with WebAuthn a lot for the last months and I feel like I can make it.

My goal is to make it work with the standard new Safari implementation, as that would ensure we don’t depend on other frameworks and we actually may support other keys. Only issue is that a message like this (“Blink Shell wants to use “localhost” to sign in”) would appear when you create the key and every time you login with that key. Do you think this may become annoying? I think it should be fine and it helps to get ready for the key and all that.

[jwr]

Well, it would be annoying, but it's definitely better than nothing :-)

In general, anybody who cares about security will have their YubiKey in touch-to-confirm mode, so there is always one interaction when logging in. Additionally, one usually unlocks the key once after inserting it.

The above seems like an additional step, but it's much better than not having anything.

I'm not sure what you mean by "when you create the key" — I am hoping this approach will still let me use the YubiKey in my Mac as well.

[carloscabanero]

Very good last point, something to discuss too. So there are two ways to implement SSH keys support, already brought up here, one through PKCS#11 (the interface with smart cards) and the other through the new WebAuthn protocol.

• PKCS#11 would have to be done through OpenPGP agent or similar. This is no small undertaking and even just the instructions to make it work under any distro are convoluted. Libssh may have implemented something but I'm not sure. Additionally, under the covers iOS will limit what solutions we can have, as just "interfacing through USB" won't work. It is a drivers problem, everything that talks through Lightning requires special approval, and through USBC it isn’t even sure it will work as a smart card. It seems like a lot of work for very little and very niche, only Yubikey supports PKCS#11. The only advantage is that you can, effectively, use the same key if you have all the OpenPGP incantations, in all of your machines.

• WebAuthn is my favorite option. The protocol is a lot easier, and there is already a library to make it work with OpenSSH (libfido2). On iOS we can make it work with both Safari in a more generic way, with interfaces over NFC, Lightning, USBC and potentially Bluetooth in the future (we could even support other keys and not just Yubikeys). The problem is that as I understand, using the same key on multiple machines depends on having the public information synchronized between those machines. This is unsolved, but easy to do. We could even help at some point to synchronize hosts and public keys in all your devices, including computers.

So that’s the state of things. Feedback is really welcome as I’m deep on this right now.

[udf2457]

@carloscabanero, I'm afraid I don't follow your argument over PKCS#11 vs WebAuthn.

More specifically, why should WebAuthn enable "other keys and not just Yubikeys" when PKCS#11 does not.

PKCS#11 is as much as an open standard as WebAuthn is ?

I would argue that it would be unwise to simply write-off PKCS#11, esepcially as it is the more established protocol of the two.

[carloscabanero]

The problem is the part of the communication with the key. It isn't just "USB", and even less if we are talking about iOS. We would have to target the support for Yubikeys using their SDK, so we would be just using that.

PKCS#11 isn't easy to support, even in OpenSSH it has caused many issues and it didn't take off the way it should have. Porting OpenPGP for the agent is also not easy, and add to that the Yubikey part.

WebAuthn is already supported at the OS level, we just need to say "sign me this request", and that's pretty much it. It may be newer, but it is actually already supported in many more places and we could argue if in more hardware too.

[jwr]

Thanks for explaining the tradeoffs and difficulties. I'm afraid I don't fully understand how the WebAuthn solution works. Does it require installing additional server-side support?

I was hoping the solution described by DrDuh in his guide could be reasonably easily repurposed, but if this is not the case, then I'd much rather go through the trouble of adding additional keys on servers than have nothing. And yes, gpg agent can be flaky and requires restarting sometimes.

[carloscabanero]

No requirements server-side. WebAuthn just has two operations, "create" a key and "get" (more like a sign) with an authentication token. PKCS#11 is a full interface to abstract the smart cards, allows you to list all the keys, etc... Quite complex.

Reading the DrDuh guide (very cool!), I had another idea. This would be with the only purpose of someone using keys that are already within the Yubikey. Considering we don't need all the compatibility layer that PKCS#11 gives us, as we will have to tap into the Yubikey SDK anyway, we could do another solution more tailored to that scenario. Using the RAW SDK we could potentially list all the keys, and then let you "import" those into Blink. Then just implement the signature part. Sounds simple, but the RAW interface is... raw and with not much docs.

I'm almost done with the WebAuthn solution, so let me finish that and then I can take a deeper look at the intricacies of this other approach.

[udf2457]

Coming back to this one briefly, OpenSSH 8.2 was released today. The release notes might contain some interesting ideas https://lists.mindrot.org/pipermail/openssh-unix-announce/2020-February/000138.html

Edit: Actually, maybe not as good as it sounds. These new features require server-side 8.2 to work which, let's face it, is not likely to be in place for a few years.

[haupas]

Any news about this? Would be awesome to use my yubikey in blink

[martijn]

Coming back to this one briefly, OpenSSH 8.2 was released today. The release notes might contain some interesting ideas https://lists.mindrot.org/pipermail/openssh-unix-announce/2020-February/000138.html

Edit: Actually, maybe not as good as it sounds. These new features require server-side 8.2 to work which, let's face it, is not likely to be in place for a few years.

In the meantime Ubuntu 20.04 came out with OpenSSH 8.2 and support for sk-ssh-ed22519 keys so there’s that. The GPG approach never appealed to me, but proper FIDO support (meaning sk- keys) would be great. Too bad that it seems impossible in iPad OS.

[svanstrom]

Is this getting anywhere towards something that might make it into a release?

[carloscabanero]

We need to take another look at it because Yubikey didn’t want to help. Will try to prioritize.

[rdamron]

Wanted to jump in here and say I'm using sk-ssh-ed22519 keys with great success on bastion hosts. Adding yubikey support for them would be game changing.

[yury]

@rdamron I have bad news for you. yubikey doesn't work via usb-c on iPadOS for that. It only works for FIDO. sk-ssh works with lightning and NFC on iOS only.

[rdamron]

@yury Thanks for the update. I suppose NFC on my iPhone would be valuable for an emergency. Maybe iPadOS 15.

[JoernHe]

@yury even just NFC support would be great. Thank you!

[rcombs]

Shouldn't it be possible to support this on both iPhone and iPad using USB-C, Lightning, and NFC using OpenSSH's new support for FIDO2 resident keys?

[rdslw]

@carloscabanero as to the sync part and fido2/webauthn approach, you may consider using "resident" keys, which means there shall be no need to sync any key component between devices. Non-resident keys (fido1/u2f) unfortunately do require synchronization of key parts.

Also your analysis of PKC#11/OpenPGP looks on the spot for me. It would be hard and probably not even possible due to ipad/ios limitations. It's a pity as majority of ssh with hardware keys usage up to 2020 were done using OpenPGP/PIV approach. That is slowly changing with FIDO2/webauthn and openssh 8.2+.

In the longterm that (webauthn) would be preferred solution. If you need some help on it, let me know.

[udf2457]

@rdslw

Re: "probably not even possible due to ipad/ios limitations"

I'm no iOS developer but not too sure about that,CryptoTokenKit is available on iOS 13.0+ (https://developer.apple.com/documentation/CryptoTokenKit)

Also there are manufacturers out there selling smart card readers for iOS (e.g. https://www.microcosm.com/it-security-hardware/smart-card-readers/ios-devices)

[ghost]

Secure ShellFish implements support for pam_yubico (at least via NFC, not sure about Lightning/USB-C), so it's definitely possible. But U2F may be a better solution as it also works on the cheaper Security Key series.

[carloscabanero]

As far as I remember, the support on Secure Shellfish is just for 2FA, not for keys themselves which is what we were discussing here. An agent is required for that, and I am not sure Shellfish implemented one yet, but I may be wrong.

[ghost]

Yeah, I use it for 2FA with AuthenticationMethods publickey,keyboard-interactive:pam. On my computer this seems to use OTP (emulating a keyboard), although I'm not sure how exactly it works under the hood on my iPhone via NFC as I don't see any simulated keypresses there. If you want YubiKey to be a single factor, couldn't you technically just do AuthenticationMethods keyboard-interactive:pam and optionally disable everything other than pam_yubico.so in /etc/pam.d/sshd?

I suppose using it as an SSH key via PGP or U2F is a cleaner solution for single factor authentication, but it's not the only way.

(I actually have a quite convoluted setup, I do AuthenticationMethods publickey,publickey publickey,keyboard-interactive:pam, so on my laptop it uses my regular ed25519 key plus the ed25519-sk key, and on my phone it uses a regular ed25519 key plus pam_yubico since Secure ShellFish doesn't currently support U2F. I find the U2F interaction nicer than OTP as the key flashes when authentication is needed and it seems quicker overall.)

[carloscabanero]

couldn't you technically just do AuthenticationMethods keyboard-interactive:pam and optionally disable everything other than pam_yubico.so in /etc/pam.d/sshd?

Unfortunately that is not how it works. We could port the libraries and all that, but the issue is that the device itself is completely ignored by the OS. We have to reimplement everything in compatibility with their SDK. U2F would be the way to go, but that does not properly work at the moment.

There was one way to make everything work, by injecting the JS and making it behave as if it was a webpage trying to get control. But they made it more difficult since iOS14.