• RustyNova@lemmy.world
    3·
    12 days ago

    I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.

    There’s also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don’t have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords

      • jonjuan@programming.devEnglish
        2·
        12 days ago

        encrypt them with a password if you wish.

        SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.

        • rumba@lemmy.zipEnglish
          3·
          11 days ago

          but they require chmod 400 and they’re ideally in on an encrypted disk

          So the desk drawer is locked and the codes are Luks encrypted.

          And for critical stuff, you should also have a password on the key.

          If your ssh keys are like a passwords on paper in a drawer, you’re doing it wrong.

          • LedgeDrop@lemmy.zip
            3·
            12 days ago

            Take a look at ssh-agent. It’s bundled with ssh-client and designed to solve this problem.

            The quick usage is, create a terminal and run:

            eval `ssh-agent`
ssh-add /path/to/your/encrypted/key1
#type in password
ssh-add /path/to/your/encrypted/key2
... 

# all commands in this terminal will use the keys above w/o asking you for a password 
git clone git@githib.com...
git push... 
etc

            So, basically you type your credentials once during the life cycle of your terminal.

            If you really want to go full power-user, simple run ssh-agent (without the eval) and you’ll see it just sets some env-vars, which can be imported into any terminal/shell you have open.

            So, if you put some logic in your shells rc file, you can effectively share a single ash-agent between all your shells, meaning you just need to type your password for your keys once when you log into your system… and your now passwordless for any future terminals you create (this is my setup).

            Also, if you’re interested take a peek at the man pages for ash-agent. It has a few interesting features (ie: adding a password lock for your agent, removing keys from the agent, etc).

            • bandwidthcrisis@lemmy.world
              1·
              11 days ago

              I have

              if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval $(ssh-agent -s)
fi

              At the end of .bashrc and

              AddKeysToAgent yes

              In .ssh/config so that it auto-adds keys I unlock.

              • ulterno@programming.devEnglish
                0·
                9 days ago

                Well, the main reason I do it every time is because I’m just too lazy to setup pinentry.
                But yeah, for the Bluetooth keyboard, I realise I better get off it.

      • Evotech@lemmy.world
        0·
        11 days ago

        It’s not about encryption/security it’s about creating something that can’t be phished.

        We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.

        Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.

      • twice_hatch@midwest.socialEnglish
        2·
        10 days ago

        You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically

        and nobody is gonna fucking do that lol

        Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?

        At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven’t used it daily in years now.

  • BootLoop@sh.itjust.works
    2·
    12 days ago

    If this isn’t referring to the Git CLI that prompts the user for username and password for a GitHub remote repository and GitHub rejecting password auth, then disregard this rant.

    Git and GitHub are two seperate pieces of software. Git is the local client that does all the work and can optionally sync with a remote repository that can be stored in GitHub or GitLab or any other compatible remote. When Git asks for a password to authenticate, it has nothing to do with GitHub. GitHub then rejects that authentication method that Git provided because it believes that the method is insecure.

    • fuzzzerd@programming.devEnglish
      1·
      12 days ago

      Wait until we tell them that Java and JavaScript are also different languages that are completely different things.

  • philosloppy@lemmy.world
    2·
    10 days ago

    I don’t know anything about passkeys but if Microsoft is pushing for them I am immediately suspicious. I am admittedly paranoid but if you have been an adult using a computer over the past ~15 years and aren’t paranoid you haven’t been paying enough attention

    • twice_hatch@midwest.socialEnglish
      1·
      10 days ago

      If by “passkey” they mean an HSM I’m okay with it

      I’d still rather have TOTP as my 2nd factor so I don’t have to plug shit in

      • JackbyDev@programming.devEnglish
        1·
        10 days ago

        I’ve plugged my phone in so many times and it doesn’t detect shit. I’d rather stick with totp/email.

      • philosloppy@lemmy.world
        1·
        10 days ago

        TOTP is the superior option, IMO, but I’m no expert on security so maybe they’re insecure? it sure seems like some folks would rather do anything but time-based onetimes.

        hardware keys are a pain in the neck, just one more thing to be lost.

    • rumba@lemmy.zipEnglish
      0·
      11 days ago

      You can have more than one passkey.

      You can still use password + 2fa

      You can use google oauth.

      You can use a YUBI key

      You should probably have a primary and secondary auth for every site.

      • dai@lemmy.world
        0·
        10 days ago

        I didn’t know about the ability to use more than one passkey per platform. Something I’ll have to investigate further.

        • rumba@lemmy.zipEnglish
          0·
          10 days ago

          Everybody does it differently. GitHub in particular allows multiple

          If you are doing development or admin work, I would greatly advise you to pick up a Yubi Key.

          My basic setup for any app/site that will allow it is two yubis and one passkey.

          One yubi in the safe with next of kin instructions, one on my key ring.

          Then any site that supports passkey, I’ll also have one of those there too.

          • dai@lemmy.world
            2·
            9 days ago

            Yeah have been meaning to pick a few up but it’s not been a top priority. Not really a developer more just a user that dabbles too much with a homelab while trying to be privacy & security conscious.

            The cost alone is a bit of a hurdle with money going to life / house currently and another purchase of some silly computer thing will trigger her.