On Mar 23, 2020, at 8:48 PM, William Herrin <bill@herrin.us> wrote:
If they *do* steal both, they can bruteforce the SSH passphrase, but after 5 tries of guessing the Yubikey PIN it self-destructs.
What yubikey are you talking about? I have a password protecting my ssh key but the yubikeys I've used (including the FIPS version) spit out a string of characters when you touch them. No pin.
https://www.yubico.com/products/identifying-your-yubikey/ <https://www.yubico.com/products/identifying-your-yubikey/> The (presumably) Yubico OTP/OATH/HOTP string from a Yubikey that you may have picked up six years ago on a lark doesn’t even begin to scratch the surface. The integration with FIDO2 in the low-end models in OpenSSH 8.2 in particular is very spiffy (and not to be confused with PIV or OpenPGP mode. -r