I was already a happy Yubikey user for a while. Mostly using it to carry my GPG key around, which is used by my password manager. My company decided to enforce Yubikey usage for SSH, due to PCI compliance efforts. So I’ve found a new Yubikey 5 NFC on the mailbox.
They allow personal stuff on work-related hardware, but disallow vice-versa. As a personal doctrine, I don’t like this approach and try to separate those two worlds. For this reason I wanted to set the new one up for SSH authentication only, because I still want to be able to use mine.
You can find how to configure your yubikey for PIV usage on internet. I won’t tell you how to generate your keys and load it to Yubikey, that’s the easy part. This post is aiming to help you with NixOS side of the job.
You need to be aware of few things:
- For SSH authentication, I use PKCS#11 shared library method
- Since I’ll be using auth Yubikey only for PIV, I’ve disabled OPGP/OTP/U2F/OATH/FIDO2 features
- We need to edit SSH configurations:
- Global one to whitelist pkcs library’s location under nix store
- Local one to refer that library as provider
- Add an ignore role to pcsclite daemon, so it won’t care about our non-auth yubikey
- Have a shell-helper to handle key-adding as seamless as possible