-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yubikey support? #46
Comments
Apparently Yubikeys can be programmed with a static key that can be used in a challenge repose mode (which uses HMAC-SHA1). This might be a better option for Yubikey support as it doesn't require the user to enter their gpg card pin. My POC looks something like
ykchalresp is a binary distributed with the yubikey-personalization library. jose pbkdf2 from a patch I wrote for jose to do PBKDF2 on arbitrary input. |
Having a pin that works with |
I am also interested in seeing yubikey pin in clevis. challenge-response mode support would be a great first step. Yubikeys supports SHA1 challenge-response that provides 160 bits output. @mtottenh in your example you use But if we want to move to ciphers with bigger keys (e.g. If we do not want to use KDF then another alternative is to use a PRF. I locally implemented Yubikey+ |
I have a POC clevis encrypt/decrypt stub that uses gpg to interact with a stored OpenPGP key on a yubikey, it's something that I've been toying around but it might make sense to include upstream. I'm more than happy to open a PR if there is any interest.
The text was updated successfully, but these errors were encountered: