What yubikey are you talking about? I have a password protecting my
ssh key but the yubikeys I've used (including the FIPS version) spit
out a string of characters when you touch them. No pin.

PIV enabled ones have pins if you are using that functionality.  

On Mon, Mar 23, 2020 at 8:51 PM William Herrin <bill@herrin.us> wrote:
On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <warren@kumari.net> wrote:
> Well, yes and no. With a Yubiikey the attacker  has to be local to
> physically touch the button[0] - with just an SSH key, anyone who gets
> access to the machine can take my key and use it. This puts it in the
> "something you have" (not something you are) camp.

Hi Warren,

They're both "something you have" factors. The yubi key proves
possession better than the ssh key just like a long password proves
what-you-know better than a 4-digit PIN. But the ssh key and the yubi
key are still part of the same authentication factor.


> Not really -- if an attacker steals my laptop, they don't have the
> yubikey (unless I store it in the USB port).

You make a habit of removing your yubi key from the laptop when nature
calls? No you don't.


> If they *do* steal both,
> they can bruteforce the SSH passphrase, but after 5 tries of guessing
> the Yubikey PIN it self-destructs.

What yubikey are you talking about? I have a password protecting my
ssh key but the yubikeys I've used (including the FIPS version) spit
out a string of characters when you touch them. No pin.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/