Blargh

Yubico and their products are awesome. That pretty much sums up this blog post but I'm going to go on anyway. If you're thinking of introducing two-factor authentication to your company, or you're using something that's fundamentally broken (like RSA SecureID) you simply must at least take Yubikeys into consideration. When I say that SecureID (and others) are fundamentally broken what I mean is that when (not if, as recent history has shown) RSA (the company) is broken into YOUR security is now compromised. When I first used SecureID and found out that you as a customer aren't in control of your own keys my first thought was "well that's just stupid". Why are you giving the keys to the kingdom to someone else? Enter Yubikeys. They just beat SecureID in every way (almost). Benefits: Open specification. You can set your own keys (secrets) and don't have to show them to a third party who...

The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them. What they are NOT They're not SSH PubkeyAuthentication In other words if your .pub file doesn't end in -cert.pub and you haven't used ssh-keygen -s, then you aren't using certificates. They're not SSL Still the same SSH protocol. They're not PEM, x509 ASN.1 or any other insane format This means you cannot get your keys signed by Verisign or any other root CA. And you cannot use multiple levels of CA. They're not easy to google for Most hits will be about normal pubkey authentication. Some will be about older patches to one SSH implementation or another that added some form of PKI, even x509 support. You'll probably have the most luck googling for "ssh-keygen -s" (with quotes). What they do Sign host keys ...