One SSH Key to rule them all

I have searched high and low for a better way to use SSH key based authentication than what you learn in the default Linux tutorials. Those tutorials would have you generate one key per-machine/account and then on every box you SSH into add that to the authorized_keys file.

What I want is a single key (that’s easy to rotate) that I can use on any machine quickly and easily to get up and running. This is because I reformat my computers a couple times a year and set them up fresh, and because I use all 3 major platforms for coding.

When you search for single key ssh authentication, the most common set of results tells you to use a Yubikey. So I finally gave in, bought a couple Yubikeys to see what all the fuss was about in the DevOps community. I did manage to work through all the tutorials about how to use a YubiKey as a kind of secure single sign on where the YubiKey is your one true universal key for SSH login. After hours and hours of setting up special daemons for forwarding SSH authentication to PGP, I’ve come to the following conclusion: YubiKeys suck.

They suffer from the same problems that all PGP and SSL encryption suffers from. Archaic tools with WAY too many options, no explanation for what any of the options do, and absolutely NO guidance around if flipping a particular set of switches makes you more or less secure.

There is a better way and I’m here to tell you about it today. The answer my friends, is Krypton.

Krypton is a phone app for iOS and Android that implements the U2F protocol and in general is a more sane approach to using a physical second factor (your phone) across all of the platforms I use: Mac, Linux and Windows1.

There are two modes:

  1. General Web 2FA using U2F
  2. Developer Mode which allows you to use Krypton for your SSH authentication and as a bonus it handles automatic signing of Git commits if you want it to

For the first mode, you just add the Krypton plugin to your browser of choice and then Pair your phone to that specific browser using a QR code similar to how WhatsApp desktop works. After that you can use Krypton anywhere U2F is supported2

For Developer Mode: Install the kr daemon/tool and the rest is easy peasy. You type kr pair into a Terminal and a QR code appears in the console. Scan this with the Krypton app on your phone and you’re all set. The kr tool takes care of setting up the SSH daemon as well as the github signing if you’d like. You still need to add an entry into authorized_keys on every computer you’re going to be using for SSH authentication, but this time… magically… it’s the SAME key on every computer you pair Krypton with without having to manually move things around, figure out where to securely store the key (it’s in secure storage on your phone).

To get your SSH public key just type kr me and voila!

Krypton is focused on security and as such the default settings ask you to confirm your login every time on your phone. I found that a little annoying especially when running Terraform jobs (more on this later) but luckily they allow you to customize your paranoia level per-host right from the app. I do still have it ask me every 3 hours or so to confirm, but after that it doesn’t bother me with additional prompts.

This is the first post in a series of posts about my home lab where I develop/prototype my applications. The next installment of this series is going to be how to use Terraform at home with your own setup that’s not a cloud provider.

Footnotes

  1. Because of the SSL library Krypton uses it doesn’t place nicely with Windows out of the box. It works perfectly though with the Windows Subsystem for Linux (WSL) and so I use WSL for doing all my git and ssh work on Windows and have had zero problems.
  2. Not all platforms that support U2F seem to work. I use Firefox because I care about speed and privacy and while generally Krypton works just fine with sites like Gandi – I have had trouble getting it to be recognized by Google and I have no idea why. Yubikeys work fine on Google *shrug*