 If people get your SSH, I mean people can't, if even if they do compromise your computer, they can't copy your SSH key, which hopefully you have a passphrase on your SSH key anyway, but more security is always better. And there's also, which these will hold up the 4096 bit keys. There is also the Yubiqui Neo which runs Java card and it comes built in with a Java card applet for OpenPGP. These, I like them in some ways, in some ways I prefer the others because these, yes they're smaller and they do multiple things because the Yubiqui Neo can also do the normal Yubiqui features. So like if you are involved with Fedora infrastructure, you have to have either Yubiqui or Google Authenticator or one of the other similar apps to use SUDA. But you can use your Yubiqui Neo that you also use for SSH. The bad thing about these, well one thing is these can only hold 2048 bit keys which is still pretty large, but what I've done is I have most of the systems I connect to, I have both a key that's on here and another key that's on my Yubiqui. The bad thing, one of the bad things recently about the Yubiqui was there was a vulnerability in the OpenPGP applet that's on here where basically you, if you compile, if you wrote the software just right to do, I mean, which it does require you to tell it to use it in ways that it wasn't intended, but you could basically make this sign stuff without the pin, which is kind of bad. But Yubiqui I think handled it nicely if you had one that had the old version of the applet because now the original Yubiqui Nios were what they now call the developer model where you could change the applets on here yourself. Now they come locked where you can't change them. If you have one that's locked so you can't change it and it has the vulnerable version of the applet on it, you can just send them a ticket on their support system with the output of GPG dash dash card status and they will send you a coupon code to get a replacement for free. You don't even have to mail the original one in and it'll still work for things like regular Yubiqui and things like that. So I didn't make fancy slides because most of what I intended to do is just show you how to do it and if anybody has any questions, then I'll answer people's questions. Does anyone have any questions about anything so far? Or anything you'd like to know specifically? Well, as far as setting it up, Clint Savage or Herlo, he has made a really good documentation on his GitHub repo of how to get it set up to work well. Sorry, I was on the internet, but it must have lost my connection. Well, I'll go ahead and show you this while I'm at it. Does anyone else have trouble with the internet here? All right. So once you go through the steps on his GitHub repo, which really explains it very well, there's a few packages you have to install and a couple of files to change so that it sets up GPGA agent. Then you can either generate your key on the smart card itself, which the drawback of that is it leaves you with no backup. So if something would happen to your smart card or it would stop working or something, your key's just gone. You can't put it on a new one. What I've chosen to do is generate my key when I'm not on the internet or anything and then put it on the smart card later. This is a brand new token and smart card. GPG card status will just tell you the serial number. You can set a name, language, URL, all of that. So I'm just going to generate a key real quick, just the same as normal. Okay, so there I have my new key. So to put that, so if I wanted to, I could do GPG export private key and save that on a file, which I have mine in an encrypted file in my safe deposit box. So if for some reason my GPG tokens would stop working, I could go get that and then put it on a new one. So to put that on your card, do GPG edit key and then key to card. And it'll ask you, are you really sure I want that to be a signature key? Then the admin pin is, starts out as one, two, three, oh, sorry, one, two, three, four, five, six, seven, eight. And then save. So then if you go back to GPG card status, then that will show that your key is on the card. And you can, you can put the same key in multiple slots. Like if you have your main key or a sub key that's set for signature encryption and authentication, you can put the same key in all three slots. GPG will not allow you to do that as simply as I would like. I guess it wants you to use a different key. But what you can do once you go key to card and put it on the card, instead of typing save, if you type quit and then it'll say something about, do you want to, are you sure you don't want to save your changes, hit yes. And it will leave the key on the card and it will leave the key in your GPG key ring. So then you can go back to edit key and then put it in encryption, then quit, then edit key and put it in authentication. And you can put the key in all three slots, which what I've done is I put my main key is set as signature as all three capabilities. So I have it on one of these with in all three slots. And then I have a sub key, a separate sub key for each one on another one of these. Yes, you can. Also, I can show you that should be generate. Sorry, I don't usually do this. If you do yes here, it does not actually generate it on the card. If you hit yes, it's basically the same as generating the key, exporting the private key and then moving it to the card. If you hit no, it will generate it on the card. Yes, I want to replace everything on there. And these will support up to 4096. And of course, you can change the pin to be whatever you want. I've just left it as the default on here since it's not actually being used for anything. And there are two different types of these of the Jamalto tokens. This is a brief called ID bridge K50. It's the newer one. They're tamper resistant. So the older ones, which are the say are which are the ones that the place that you get the smart cards from sells are called USB shell token version two. And also the new name is ID bridge K30, I believe. And they have just a little door that you can just unhook to get the card out so you could switch what card is in there. These, once you put them together, there's a couple little tabs that go down in there so you can't get it apart without actually breaking it. Does anyone else have any questions or anything so far? Yeah. Why, sorry. I think it mainly goes down to preferences. And also it depends on what you set as the capabilities when you generated your key. GPG's default is just for RSA keys is signature and authentication set to enabled. But you can also set encryption also or any combination of that if you do dash dash gen key dash dash expert. It will let you choose whatever options you want. I've heard different people have different opinions about if you need to use different sub keys for everything or not or if it really matters. When I generated my keys, I made them set to be enabled for everything. I generally don't use my main key. I use the sub keys because GPG will let you use sub keys for everything except signing other keys. So that's all I use. Like whenever I use SSH to connect to anywhere, I just have to have this and have to know my pin number or well actually it's not just numbers. GPG will let you use letters, numbers and special characters even as the pin on here. They just call it pin even though it's not just numbers. And as you can see, generating the keys on here does not appear to be as quick as on the computer. Well, yeah, sure. I should have just done something smaller since I'm not actually using them. A little about the Yubikis. The newer Yubikis, I don't believe all NEOs have it but has anyone used the U2F stuff that Google is supporting now? You pretty much have to use Chrome. But I've got that enabled on my Google Apps account and my Gmail account. And at least the newer, I'm not sure exactly. I don't think the older Yubikis supported it. So the newer ones, the ones which are made this year and I think some of them are the newer ones now. They support that. And so this really, I use it for three different things pretty much, regular Yubiki for Fedora and Yubiki for other sites because they have two regular Yubiki slots. So I have one set for Fedora and one set for the Yubiki validation server. So most other sites that use Yubiki use the Yubico server, not their own. Like Fedora, we have our own Yubiki validation server that we run ourself. That's why you have to use Fedora Burn Yubiki whenever you want to set up one for Fedora. And then the U2F system and the PGP. They also have, the blue one just does the U2F features which is the new Google back service which it's supposed to be compatible with other sites but have you found anywhere else really? I haven't. I haven't found anywhere else yet that supports it but it's supposed to be hopefully becoming a standard. Of course they have the regular Yubikis which I'm sure most of you are probably used. And they have one that is compatible with, is their name Symantec still? Used to be Verisyn's two-factor system. Now I think it's called Symantec. They have one that's compatible with that that you can use at a lot of, at several bigger sites like eBay and PayPal and things like that. Okay, so now it's done and I have three keys, one subkey for each feature and all of the keys expire tomorrow. So that way, I suppose that is the most secure way of doing it because there has never been a copy of those keys on any computer because they are generated directly on the card. Some people I know, was it Pecker that I talked to last year was saying, they think that's the only way to go is to generate the keys on the card. Personally, I think that would be okay for subkeys but I wouldn't want to have the only copy of my main key on one of those because if it stopped working or something then basically you would lose your key and have to get all of your signatures and everything over again because you wouldn't be able to put it on another one because you cannot get the key off of there once it's on there. That's why you would make it, if you wanted a copy you would need to export the private key before you put it on the card. And they also have a, which these are the exact same things that are in those readers. They also make full-size smart card versions. And then I got this little smart card reader that folds up to be like the size of a flash drive. I believe I got this on eBay and you just unfold it and it makes a little slot for the card to go in and then you can plug it in your USB slot and it works the exact same way. I found a couple readers that are not quite supported well with Fedora, which in some time whenever I get around to doing so, I'm intending to try to start through Fedora docs a two-factor authentication guide because I think it would be nice to have some of this documented more because the only documentation or at least the best documentation I could find whenever I first started doing this was on Herlo's GitHub. He's made a nice tutorial and also has the configuration files you need on GitHub. And but I'm going to try to be making a two-factor authentication guide and documenting what hardware I've found works. They also make some USB keyboards that have smart card slots in it. I haven't tried them in a while but I know the one by, I think it's called Cherry does not work at least with Fedora or with GPG. But I think the other one was made by Dell and it worked okay. And I like this. The only times I've ever used the full-size smart cards I prefer this little card reader which is made by SCM microsystems. It seems to work just fine and you can just throw it in your pocket or whatever. Does anyone else have any questions or anything to say or anything? Okay. Why are you doing this in practice, maybe? Okay, well yeah, I didn't really, I kind of forgot about that. Okay, so SSH, you really don't have to do anything. Well, okay, on your computer, are you talking about the server or the client? I mean, like what you have to do on your computer or are you talking about is there anything special you have to do like to connect with SSH? No, really, okay. So, SSH-add-L, all you have to do once you set up on your computer which if you go to Herlo's GitHub repo it pretty much will walk you through exactly what to do to set up your computer which I apologize, I was going to show that apparently the internet is strange. So you're walking your local keychain on the client side? So all SSH-add-L does, that tells you all you need to do on the server side, copy that into your authorized keys. To basically, your server doesn't care that you're using that. Your computer handles using your SSH with your GPG token. So your computer does the second factor itself because once you try to SSH to a server it will pop up a box. I mean, you have to have this plugged in, of course. You type in your SSH command, it will pop up and tell you to enter your PIN. And it valid, then the token validates your PIN and will sign the request that SSH wants it to sign to connect to the server. So you're not securing your remote? Yes. Yeah, it's a second factor for your private key on your laptop because your key, all that's stored in your GPG key ring once you put the key on the card is basically a stub that just says this key isn't here, it's on a card. And it will actually, if I had this key inserted and tried to SSH to a different server, I mean to a server that uses my SSH key, my computer, if I have used that key before, it will tell me insert card number or such and such, which there's not really any way to tell from looking at it what the card serial number is because the case is too dark. But the serial number is on the actual smart card itself. It's just not readable once it's in there because it's on the same side that the contact is on. So, and then as for GPG, GPG itself, it will detect that your card is in there. Every once in a while, I've had issues where it will act strange and my usual solution is kill GPG agent and restart it. But it works well on Fedora. Whenever I'm booted into OS 10, which is rarely, but sometimes it will, it doesn't work as well as Fedora using the GPG token. It works, but you bother. Fedora works pretty good usually. Yes, the instructions on GitHub will tell you how to set up SSH to use GPG agent. There's a script that you put in your home directory and then you set up, if I remember right, you set up your bash profile to run this script that sets up GPG agent. And so then it'll do that every time you log in. And it seems to work well. I went to, I think, what was it, FedCon Lawrence, maybe? I think it was, Herlo did a talk about it. And that's when I kind of got into using it. I think it would be a good thing to get, even to get infrastructure to start supporting or start recommending. I don't know how easy it would be to require it because then everybody that has an account on anything on Fedora infrastructure would need to get one of these somehow, or a Yubiqui or one of the similar things. The server doesn't know, you know, I can't wait. Honor system probably. All right. I don't really know of a way, I mean, you could read a script that looks through authorized keys for something that says card no, whatever, but that's just the comment. You can edit the comment in your SSH key to be whatever you want. So if someone was determined enough that they weren't run to do it, they could just make their comment look like a card number. But that's just what GPGA agent uses by default is card no, colon, whatever the serial number of the smart card is, which depends on the manufacturer. Like all of these start with a five, which is supposed to be the manufacturer's ID number or something. And the Yubiqui ones start with a six. And as you can tell, that's shorter because that's a 2048 bit key because apparently what Yubico said was it's a limitation in Java card that they can't make it handle 4096 bit keys. Even if they change the applet that they use to support it, something in Java card, there's not enough room or something for it to handle that. Yeah. I mean, it's actually in the hardware market. There aren't any cards publicly available that's far from saying, far from that. Yeah, I'm not sure about the implement, about the Yubiqui's, what actual card they use other than it's something in Java card, but I know these will support a 4096, the GPG smart card ones. That's what I use on there. Anything else? If I already have it, can I go and die in the world? Definitely. That's what I personally would recommend. That way you can still have a backup of your key in case your token would malfunction, you still have your key. If you generate the key on here and something happens to it, well, too bad. Your key's gone. You can't use your key if you don't have a backup. That's what I was showing at the beginning when you go into your key, type in, I mean, go to edit key, then type in toggle and then key to card, that will move your key to the smart card. I would of course recommend doing export private key first and put your private key in a file and encrypt it and put it somewhere secure. That way you have a backup of it. But yes, you can definitely use an existing key. My first key I used to use just on my computer. I have two keys currently, one I've had for a while, one I generated before flock last year, maybe, or no, no, it was since then. Because a lot of keys use SHA-1 for itself sigs and things like that, and you kind of, you can't, I've read some articles about how that's not good because SHA-1 is not that secure anymore. So what I did was added the options to my GPG config to make it use SHA-512 and generated a new key. But I still have both of them for now because my new key has not been signed by very many people yet, because I haven't been to any conferences other than self this year since I made the new key. Yeah. You can change the signature on existing keys if you just, I would like to talk about that. Yeah, you can change those, but you can't change the signatures on your subkeys, and I don't know, okay, I will try that. There was some reason that somewhere recommended just making a new key, I don't have to look it up. Yeah, I'm not sure I haven't looked at that lately, but yeah, I'll check into that again because my old key has been signed by a bunch of people, so I'd kind of rather not start over, anything else? Yeah, it looks like on a Friday at 5 p.m. Is that when we're having the key sign? Okay. Well, Till is doing a GPG best practices, and then we're having the key signing and having CA cert assurances available. Yes, the same two-hour workshop slot, yeah. And so we can see how much interest in best practices that everybody knows everything. We're going? I'm not sure if I'm going to say, well, yeah. We're going to kind of gear the best practices towards how much people know, how much they wanna know, and then have the key signing. That way, hopefully people can get there before we start the key signing. And I have the lists printed out from everybody that signed up on the Google Forms for it. If you did not sign up for the key signing and you're interested, you can still come. Preferably bring your keys, fingerprint, and your name, print it a bunch of times, or what we've done in the past is just write it up on the whiteboard, which it looks like we might not have whiteboards here. And then people can just write a name. So anybody is still welcome even if you did not sign up. We just try to get people to sign up ahead of time so we can print out a list of everybody's name and fingerprint. Then depending on how people wanna do it, I have done it before where everybody just says their fingerprint looks right on the paper and I've done it before where everybody reads their fingerprint to make sure that everybody has the same copy and I didn't like put papers with different fingerprints to different people. Yeah. Yeah. I have about 30 or 40 copies of the key list printed out in my bag. So anything else anybody? What drives do you use? The drivers are in Fedora. There's a few packages to install. I believe the drivers are in, there's a PCSC light, I think is the name or something like that of the package. But on the GitHub repo, it tells you exactly what to install, what configuration files you need to edit to get the GPG agent stuff set up, and all of that. Anything else? They said we were about at a time a couple of minutes ago. Oh well, we still have a couple of minutes. If no one else says anything, thank you all for coming. This is my group. I really don't use it in practice much. I just kind of wanted to get examples of different hardware to document what worked and what doesn't work. Well, the smart card that goes in these is exactly the same as this, except you can order them with a, and it's actually SIM card size cutout where you just punch it out of there. Oh, okay. Oh, what's the... Or this is the all-PGP card that's... That's the Gemalto card that is the most popular because that's the same one that the place that sells the smart card sells. I ordered these from a place in Texas, I think. And these are like, because you don't have to worry about, I always kind of thought, well, what if that cover falls off? Have you ever had? Okay. It seems like it's pretty secure, I'm pretty sure. I've been carrying it around for two years now, I'm not no problem. Oh, okay. It seems like it's pretty secure, but this, you're not gonna get this off without breaking the reader. I don't think it would hurt the card itself if you broke it open, but you would have to replace the reader if you did that. Yeah. And how do you make it work on what's doing? Oh, Google. Well, I mean, I really don't remember, I found somewhere that documented how to do that and it worked decently. Usually every time I started new terminal, I would have to kill all GPG agents and then start GPG agent picking, which can happen something like a fix, but sometimes I would, we'd rather just take the low-tech workbook. You could take two of those, easy enough. Kill all GPG agents, GPG agents, dash, dash, dash, all of them and then it works. Then start a new terminal, can't all GPG agents pick it up. So I don't know what actually is causing it to... Oh, was I supposed to stop this? I guess I was.