Had to do this for some advanced networking with KVM, and couldn't figure out how to do it using the Nework Manager gui. Did find an article later that showed how to do it with nmtui, but it's so much easier to record what you did when using the cli.
In the examples below "eth0" is the name of my physical interface. By default on Ubuntu and most distributions that will almost certainly be different, for example: "eno1", "ens1", or "enp2s0".
To see what everything looks like before starting:
Answer is simple – Security! Alternatives include storing private keys directly on a workstation – which makes them poorly protected in multitude of attacks. A better option is to use encrypted usb key but leaving inserted and unsealed usb key for a long time is insecure, while inserting it and removing it back and forth all the time is tedious.
YubiKey suits much better for this purpose by making your SSH keys much more secure while maintaining a great user experience.
YubiKey is a hardware security key which provides Universal 2nd Factor (U2F) cryptographic tokens through a USB and/or NFC interface. This means you have to explicitly authorize a new SSH session by tapping the YubiKey. The private SSH key should be useless to a malicious user who does not have access to the physical YubiKey on which the second private key is stored.
| sudo apt-get update | |
| sudo apt-get install -y python3 python3-dev python3-pip gcc | |
| sudo apt-get install -y python3-opencv | |
| sudo apt-get install -y python3-numpy | |
| sudo apt-get install git | |
| sudo apt-get install wget | |
| sudo apt-get install python3-setuptools | |
| wget https://github.com/rockchip-linux/rknpu2/raw/master/runtime/RK356X/Linux/librknn_api/aarch64/librknnrt.so | |
| sudo mv librknnrt.so /usr/lib/librknnrt.so | |
| git clone https://github.com/rockchip-linux/rknn-toolkit2.git |
This guide covers using both PIV smartcard and FIDO2 features of your Yubikey, SoloKey(v2), and Windows Hello for SSH authentication in a secure and portable manner. FIDO2 support works with YubiKey, SoloKey(v2), and Windows Hello(biometric:face, biometric:fingerprint, secure-element/pin) with OpenSSH as a relatively new feature which requires updated client and server versions. PIV support has been around with PKCS#11 for many years in the OpenSSH codebase, and is considered a more stable and ubiquitous solution when an applicable PKCS#11 library is available for your platform.
Example below assumes that you have a piv key already generated in a yubikey slot the way you want. If you need to generate a new one, read the excellent documentation here: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client
