Korbs revised this gist 6 days ago. Go to revision
1 file changed, 6 insertions
README.md
| @@ -29,10 +29,16 @@ tkey-verification verify | |||
| 29 | 29 | ||
| 30 | 30 | The message "**`TKey is genuine!`**" should appear if your TKey is legit. The light should be purple as well. Please unplug TKey and plug it back in moving forward, take it out of verification mode. | |
| 31 | 31 | ||
| 32 | + | ||
| 32 | 33 | ___ | |
| 33 | 34 | ||
| 34 | 35 | ## SSH | |
| 35 | 36 | ||
| 37 | + | Start SSH agent: | |
| 38 | + | ```bash | |
| 39 | + | systemctl --user start tkey-ssh-agent.service | |
| 40 | + | ``` | |
| 41 | + | ||
| 36 | 42 | You can login to your Linux servers remotely using the TKey, by adding your SSH key on your server. | |
| 37 | 43 | ||
| 38 | 44 | Plug in your TKey into your system, then run the following: | |
Korbs revised this gist 3 weeks ago. Go to revision
No changes
Korbs revised this gist 3 weeks ago. Go to revision
1 file changed, 123 insertions, 2 deletions
README.md
| @@ -1,14 +1,101 @@ | |||
| 1 | + | # TKey Setup | |
| 2 | + | ||
| 3 | + | > This Gist shows how SudoVanilla utilizes it's own TKey for signing and ssh.\ | |
| 4 | + | > ***SudoVanilla is not responible for any damages to your Tillitis TKey, Tillitis Tkey Unlocked, and systems.([&1](#risks))***\ | |
| 5 | + | > If this Gist needs correction, feel free to [contact me](https://sudovanilla.org/) as soon as possible. | |
| 6 | + | ||
| 7 | + | ## What is a TKey? | |
| 8 | + | ||
| 9 | + | "[TKey is a compact USB-C device](https://www.tillitis.se/) designed to provide a secure and isolated environment for specialized applications. [Applications](https://www.tillitis.se/download/) are loaded onto TKey and run one at a time in complete isolation, preventing access to the secrets of other applications. This design ensures digital protection for critical tasks such as Authentication, Digital Signing, Secure Random Number Generation, and Encryption." | |
| 10 | + | ||
| 11 | + | ### Purchase | |
| 12 | + | ||
| 13 | + | You can purchase a TKey directly from the [Tillitis shop](https://shop.tillitis.se/products/tkey), where it currently retails for $82 USD as of writing. | |
| 14 | + | ||
| 15 | + | ### After purchase, verify your TKey is genuine | |
| 16 | + | ||
| 17 | + | (Fedora) | |
| 18 | + | ```bash | |
| 19 | + | wget https://github.com/tillitis/tkey-verification/releases/download/v1.0.0/tkey-verification_1.0.0_linux_amd64.rpm | |
| 20 | + | sudo dnf install ./tkey-verification_1.0.0_linux_amd64.rpm | |
| 21 | + | ``` | |
| 22 | + | ||
| 23 | + | Plug in your TKey into your system and run the following: | |
| 24 | + | ```bash | |
| 25 | + | tkey-verification verify | |
| 26 | + | ``` | |
| 27 | + | ||
| 28 | + | > If you're already running an application or the light is blue instead of white, please unplug the TKey and plug it back in again to put it in firmware mode. | |
| 29 | + | ||
| 30 | + | The message "**`TKey is genuine!`**" should appear if your TKey is legit. The light should be purple as well. Please unplug TKey and plug it back in moving forward, take it out of verification mode. | |
| 31 | + | ||
| 32 | + | ___ | |
| 33 | + | ||
| 34 | + | ## SSH | |
| 35 | + | ||
| 36 | + | You can login to your Linux servers remotely using the TKey, by adding your SSH key on your server. | |
| 37 | + | ||
| 38 | + | Plug in your TKey into your system, then run the following: | |
| 39 | + | ```bash | |
| 40 | + | ssh-add -L | |
| 41 | + | ``` | |
| 42 | + | ||
| 43 | + | This should trigger a dialog on your desktop to type in a password, set a strong password you'll use to login to servers via SSH. | |
| 44 | + | ||
| 45 | + | Copy the generated SSH key from your terminal, on your server add it to the `.ssh/authorized_keys` file. Next time you login you can use the Tkey,it should flash green, and simply tap the sensor. | |
| 46 | + | ||
| 47 | + | If it starts denying access, you may of typed in the password wrong for your TKey. Unplug your TKey, plug it back in, and try again. The SSH key used by the TKey can change if you use a different password, be sure you're typing in your password correctly([USS](#uss)). | |
| 48 | + | ___ | |
| 49 | + | ||
| 50 | + | ## Signing Commits | |
| 51 | + | ||
| 52 | + | Download the [signature tool](https://www.tillitis.se/applications/tkey-signature-tool/) and [SSH agent](https://www.tillitis.se/applications/tkey-ssh-agent/), they're required to use your Tkey for signing. | |
| 53 | + | ||
| 54 | + | Change your SSH auth sock to use the SSH agent: | |
| 1 | 55 | ```bash | |
| 2 | 56 | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" # See config.fish for those using Fish | |
| 57 | + | ``` | |
| 58 | + | ||
| 59 | + | Plug in your TKey into your system, then run the following: | |
| 60 | + | ```bash | |
| 3 | 61 | ssh-add -L | |
| 62 | + | ``` | |
| 63 | + | ||
| 64 | + | This should trigger a dialog on your desktop to type in a password, set a strong password you'll use to sign commits. ***Please advise that using a different password will change the SSH key generated by the TKey, make sure you're typing in the correct password when signing commits in production ([USS](#uss)).*** | |
| 65 | + | ||
| 66 | + | Once you've settled on a password to use, your SSH key will appear, it'll look somewhat like this: | |
| 67 | + | ```bash | |
| 68 | + | ssh-ed25519 AAAAAAAAAAAAAAAAAA00000000000 TKey | |
| 69 | + | ``` | |
| 70 | + | ||
| 71 | + | > Your SSH key generated by your TKey should always end with `TKey` at the end. | |
| 72 | + | ||
| 73 | + | Now, setup your git CLI to use that signing key with SSH format and to always sign by setting `gpg` to true. | |
| 74 | + | ||
| 75 | + | Setup your `.gitconfig` like this: | |
| 76 | + | ``` | |
| 77 | + | [user] | |
| 78 | + | email = john.smith@example.org | |
| 79 | + | name = JohnyS | |
| 80 | + | signingkey = ssh-ed25519 AAAAAAAAAAAAAAAAAA00000000000 TKey | |
| 81 | + | [commit] | |
| 82 | + | gpgsign = true | |
| 83 | + | [gpg] | |
| 84 | + | format = ssh | |
| 85 | + | ``` | |
| 86 | + | ||
| 87 | + | Make changes to a repository, then make a commit and push: | |
| 88 | + | ```bash | |
| 4 | 89 | git commit -m "test" | |
| 5 | 90 | git push | |
| 6 | 91 | ``` | |
| 7 | 92 | ||
| 8 | - | > Your SSH key will change if you type in a different password for the TKey, make sure you use the same password. | |
| 93 | + | > Tillitis has tools available such as [GitHub SSH](https://tillitis.se/applications/github-ssh/) and [GitLab SSH](https://tillitis.se/applications/gitlab-ssh/), but are not mentioned here as SudoVanilla primarly uses [Forgejo servers](https://forgejo.org/) including it's own [SudoVanilla Ark](https://ark.sudovanilla.org). | |
| 9 | 94 | ||
| 10 | 95 | ___ | |
| 11 | 96 | ||
| 97 | + | ## Troubleshooting | |
| 98 | + | ||
| 12 | 99 | If you get the error "`Could now show USS prompt: Pinentry: unexpected response: "S ERROR surses.isatty 83918950"`, after a reboot, then do the following: | |
| 13 | 100 | ```bash | |
| 14 | 101 | sudo dnf install pinentry-gnome3 | |
| @@ -24,4 +111,38 @@ Then run: | |||
| 24 | 111 | ```bash | |
| 25 | 112 | gpgconf --kill gpg-agent | |
| 26 | 113 | gpgconf --launch gpg-agent | |
| 27 | - | ``` | |
| 114 | + | ``` | |
| 115 | + | ||
| 116 | + | ___ | |
| 117 | + | ||
| 118 | + | ## Footnotes | |
| 119 | + | ||
| 120 | + | #### Risks | |
| 121 | + | ||
| 122 | + | To maintain availablity to your infrastructure, do not enforce TKey exclusive authentication for SSH unless a verified recovery workflow is in place. Enforcing such requirements without a secondary access method poses a significant risk of permanent lockout, particularly for servers lacking physical access. | |
| 123 | + | ||
| 124 | + | However, if you're going to accept this risk, expect to take full responibility in the case of a server lockout. | |
| 125 | + | ||
| 126 | + | Links to consider reading: | |
| 127 | + | - [SSH Security Best Practices: Protect Your Remote Access Infrastructure](https://tailscale.com/learn/ssh-security-best-practices-protecting-your-remote-access-infrastructure) | |
| 128 | + | - [Eight ways to protect SSH access on your system](https://www.redhat.com/en/blog/eight-ways-secure-ssh) | |
| 129 | + | ||
| 130 | + | #### USS | |
| 131 | + | ||
| 132 | + | When prompted to type in a password for your Tillitis TKey. Unlike traditional security keys where a password only encrypts an existing "static" key, your TKey uses a USS(User Supplied Secret) as the input for key derivation. | |
| 133 | + | ||
| 134 | + | SSH keys are generated with the following: | |
| 135 | + | ||
| 136 | + | - The unique hardware secret inside your device. | |
| 137 | + | - Exact version (hash) of the TKey device application you're running. | |
| 138 | + | - USS, the password your typed in. | |
| 139 | + | ||
| 140 | + | You can view [this article on TKey Key Genration](https://www.tillitis.se/blog/2023/03/31/on-tkey-key-generation/). | |
| 141 | + | ||
| 142 | + | #### Misc | |
| 143 | + | ||
| 144 | + | SudoVanilla has integrated the Tillitis TKey to enhance it's own security by using a hardware-based root of trust. This means taht critical operations are protected by this phyical device, preventing sensitive information from being easily stolen and compromised. This approach in using the Tillitis Tkey helps ensure the integrity of source code signatures and infrastructure. | |
| 145 | + | ||
| 146 | + | Beyond this, a Yubico Yubikey is deployed across server environments and user accounts wherever possible to provide a rebust multi-factor authentication. For other security actions, there are use cases where a single key may be used multi-times in one go to simply run a single task, or both keys are required for the task(s). | |
| 147 | + | ||
| 148 | + | SudoVanilla takes it's security as seriously as it can to ensure protection over server data and it's contents. | |
Korbs revised this gist 3 weeks ago. Go to revision
1 file changed, 3 insertions, 1 deletion
README.md
| @@ -7,7 +7,9 @@ git push | |||
| 7 | 7 | ||
| 8 | 8 | > Your SSH key will change if you type in a different password for the TKey, make sure you use the same password. | |
| 9 | 9 | ||
| 10 | - | If issue arises after reboot: (Fedora / GNOME) | |
| 10 | + | ___ | |
| 11 | + | ||
| 12 | + | If you get the error "`Could now show USS prompt: Pinentry: unexpected response: "S ERROR surses.isatty 83918950"`, after a reboot, then do the following: | |
| 11 | 13 | ```bash | |
| 12 | 14 | sudo dnf install pinentry-gnome3 | |
| 13 | 15 | nano ~/.gnupg/gpg-agent.conf | |
Korbs revised this gist 3 weeks ago. Go to revision
1 file changed, 19 insertions, 2 deletions
README.md
| @@ -1,8 +1,25 @@ | |||
| 1 | - | ``` | |
| 1 | + | ```bash | |
| 2 | 2 | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" # See config.fish for those using Fish | |
| 3 | 3 | ssh-add -L | |
| 4 | 4 | git commit -m "test" | |
| 5 | 5 | git push | |
| 6 | 6 | ``` | |
| 7 | 7 | ||
| 8 | - | > Your SSH key will change if you type in a different password for the TKey, make sure you use the same password. | |
| 8 | + | > Your SSH key will change if you type in a different password for the TKey, make sure you use the same password. | |
| 9 | + | ||
| 10 | + | If issue arises after reboot: (Fedora / GNOME) | |
| 11 | + | ```bash | |
| 12 | + | sudo dnf install pinentry-gnome3 | |
| 13 | + | nano ~/.gnupg/gpg-agent.conf | |
| 14 | + | ``` | |
| 15 | + | ||
| 16 | + | Add add the line: | |
| 17 | + | ``` | |
| 18 | + | pinentry-program /usr/bin/pinentry-gnome3 | |
| 19 | + | ``` | |
| 20 | + | ||
| 21 | + | Then run: | |
| 22 | + | ```bash | |
| 23 | + | gpgconf --kill gpg-agent | |
| 24 | + | gpgconf --launch gpg-agent | |
| 25 | + | ``` | |
Korbs revised this gist 1 month ago. Go to revision
2 files changed, 4 insertions, 1 deletion
README.md
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ``` | |
| 2 | - | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" | |
| 2 | + | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" # See config.fish for those using Fish | |
| 3 | 3 | ssh-add -L | |
| 4 | 4 | git commit -m "test" | |
| 5 | 5 | git push | |
config.fish(file created)
| @@ -0,0 +1,3 @@ | |||
| 1 | + | # tkey | |
| 2 | + | set --export SSH_AUTH_SOCK "$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" | |
| 3 | + | # tkey end | |
Korbs revised this gist 1 month ago. Go to revision
1 file changed, 5 insertions, 1 deletion
README.md
| @@ -1,4 +1,8 @@ | |||
| 1 | 1 | ``` | |
| 2 | 2 | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" | |
| 3 | + | ssh-add -L | |
| 4 | + | git commit -m "test" | |
| 5 | + | git push | |
| 6 | + | ``` | |
| 3 | 7 | ||
| 4 | - | ssh-add -L | |
| 8 | + | > Your SSH key will change if you type in a different password for the TKey, make sure you use the same password. | |
Korbs revised this gist 1 month ago. Go to revision
1 file changed, 4 insertions, 1 deletion
README.md
| @@ -1 +1,4 @@ | |||
| 1 | - | _ | |
| 1 | + | ``` | |
| 2 | + | export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/tkey-ssh-agent/sock" | |
| 3 | + | ||
| 4 | + | ssh-add -L | |
Korbs revised this gist 1 month ago. Go to revision
1 file changed, 1 insertion
README.md(file created)
| @@ -0,0 +1 @@ | |||
| 1 | + | _ | |