hektor/nix
1
0
Fork 0
Code Pull Requests Activity

fix(ssh): document hardware-backed SSH keys and set up backup key

Browse Source
This commit is contained in:
Hektor Misplon
2026-05-16 12:42:06 +02:00
parent 90528bd243
commit 124d326c0e
4 changed files with 74 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
home/modules/ssh/README.md Normal file
View File

@@ -0,0 +1,61 @@
# SSH keys
* primary keys (host-specific, non-resident)
* backup key (shared, resident)
## generate keys
### YubiKey 01 - `host_01`
```sh
ssh-keygen -t ed25519-sk \
-O verify-required \
-f ~/.ssh/id_ed25519_sk \
-C "h@host_01"
```
### YubiKey 01 — `host_02`
```sh
ssh-keygen -t ed25519-sk \
-O verify-required \
-f ~/.ssh/id_ed25519_sk \
-C "h@host_02"
```
### YubiKey 02 - `host_*`
```sh
ssh-keygen -t ed25519-sk \
-O resident \
-O verify-required \
-f ~/.ssh/id_ed25519_sk_bak \
-C "backup"
```
## register keys
when you the primary key (`id_ed25519_sk.pub`), make sure to also register the
backup key (`id_ed25519_sk_bak.pub`) if needed.
## recovery scenarios
| scenario | recovery |
|---|---|
| primary key file lost | generate new primary key on that device, re-register (use backup key) |
| primary YubiKey lost | generate new primary keys on all devices using new YubiKey (use backup key) |
| backup key file lost | regenerate from backup YubiKey resident key (use `ssh-keygen -K`) |
| backup YubiKey lost | generate resident backup key, distribute across hosts, re-register (use primary key) |
## notes / to do
TODO: automate distributing `id_ed25519_sk_bak`, `id_ed25519_sk_bak.pub` to all devices
TODO: declare setup scripts (use e.g. `$HOSTNAME`)
TODO: register backup key with hosts (add to authorized hosts for each host)
TODO: register backup key with services (e.g. Gitea)
TODO: make sure to fall back to backup key when host-specific primary key is not present
TODO: see if / how `-O application=ssh:<name>` could be used
## references
* <https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html>

2
hosts/andromache/ssh_user.pub
View File

@@ -1 +1 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILoWbtyewa2LUWpWCYK46OCWs+2E+BeIsk+0We20qsf9AAAABHNzaDo= h@andromache sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIj+isTFg+W3v68HL28a9p9nX7ldAxu+ht9uUfKLvqcwAAAABHNzaDo= h@andromache

20
modules/ssh/authorized-keys.nix
View File

@@ -17,13 +17,15 @@ in
}; };
# auto generate authorized_keys from `authorizedHosts` # auto generate authorized_keys from `authorizedHosts`
config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten ( config.users.users.${username}.openssh.authorizedKeys.keys =
map ( lib.flatten (
hostname: map (
let hostname:
keyFile = ../../hosts/${hostname}/ssh_user.pub; let
in keyFile = ../../hosts/${hostname}/ssh_user.pub;
lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile)) in
) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts) lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
); ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
)
++ lib.splitString "\n" (builtins.readFile ./ssh_bak.pub);
} }

1
modules/ssh/ssh_bak.pub Normal file
View File

@@ -0,0 +1 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINg9dwrE10NQ7WMhL/hFJHRNFlDedvloCm9E4XEfnpStAAAABHNzaDo= backup