blink
blink copied to clipboard
blinksh
Yubikey support through USB-C
On the new iPad Pro, there is a USB-C port. If it exposes HID, it might be possible to support Yubikeys and other similar devices (like smartcards).
On a Mac or Linux, I use the GPG keys stored on a Yubikey for SSH authentication. This is very secure and works well. I would love to use the same setup on an iPad.
Specifically, I'd like to have Blink with a built-in gpg-agent which supports smartcards and yubikeys, to get a setup like this: https://github.com/drduh/YubiKey-Guide
Did research on iOS API and could find anything that gives access to usb flash drive. May be apple can give access to certified partners (works with iPhone).
If you find any app that could read flash drive in app store, please let me know.
Hmm, but why would you need usb flash drive (storage) access? From what I understand, the YubiKey is a HID device, and since third-party USB keyboards work great, perhaps it could be made to work as well.
Hi @jwr,
Yep, totally didn't understand how it works from the start. Sorry.
But they don't ship to Russia :(
Hmm, their website says they have a distributor in Russia: https://www.yubico.com/store/resellers/
Just some ancillary info that may be helpful here:
For discussion of the general issue of what the USB-C port makes possible, see this post on the Yubikey subreddit.
Apparently for OTP, it can work without specific support because it implements the keyboard HID. This should already work for Blink, but is not the kind of usage discussed in the GPG/SSH doc linked in the OP. That usage requires FIDO bidirectional communication.
For its Titan Key suporting U2F, Google makes an iOS app called Smart Lock — the existence of this app suggests that Apple-blessed apps can access the necessary external resources.
The Yubikey demo site will let you test OTP, FIDO and other protocols on various devices. A link that's been hidden a bit points to their page for testing U2F.
Hope some of this background helps.
Status update:
I got keys (thanks @carloscabanero). We need special sdk from Yubikey to be able to do smth with them. We send request, but no response yet.
@yury I don't think you need a special SDK in order to use the OpenPGP card. Plain GnuPG (1 or 2, with 2 preferred) should be able to talk to it. The U2F, OTP, etc. parts are not interesting for SSH key support. Use ykpersonalize on a computer to set it to the correct USB mode, use gnupg to create or load a key. Note that you either have to place the PUBLIC key at some internet-reachable URL and edit the key (gpg --card-edit) to stick that URL on the yubikey itself, OR have a facility to load that public key on the iDevice. The public key DOES NOT automatically follow the YK, only the private key is stored there.
I could contribute a little money each month to the development of YubiKey+OpenPGP support for Blink. Is there a way to do this?
https://www.yubico.com/product/yubikey-5ci
Last week Yubico launched the 5Ci with Lightning and USB-C support.
So, what next? Did you try to appeal? Should we all start writing annoyed E-mails to YubiKey?
Yubico’s iOS SDK is available at https://github.com/Yubico/yubikit-ios You just need to contact them to have Apple whitelist the app. However it does mention in the FAQ that “ The USB-C type iOS devices, such as the iPad Pro 3rd generation, have limited support when using the YubiKey 5Ci or another type of YubiKey with USB-C connector. The OS is not officially supporting external accessories on these devices.“
Which yubikey is used is not important. Any of them with openPGP support will work the same way; difference being only that you'll need the lightning-to-usb or c-to-a dongle. So please don't get hung up on the yubikey model - and the sdk is probably not required either. GnuPG with libusb and its plain cud support has all you need. The sdk is probably only needed if libusb isn't permitted - and even then I'm not sure it's useful.
https://www.yubico.com/product/yubikey-5ci .... please please please.
Thank you. ;-)
The specs state " Smart Card capabilities" which I guess means pkcs11 which therefore means SSH support should be perfectly feasible.
This is an important feature for me.
@yury does access to the YubiKey partner portal provides any value or is necessary? We surely can try to bother them to be heard if the lack of access is the dealbreaker.
Again, thank you for such an amazing product.
I would also like to see this, or just gpg key support in general, as this is what I primarily use for SSH
The upcoming YubiKey 5C NFC makes this even more interesting. Things should start moving faster now that Apple started supporting WebAuthN in iOS 13 and hardware devices like YubiKey should start becoming more popular.
So, is anybody actually working on anything related to Blink with a built-in gpg-agent which supports smartcards and yubikeys?
No, they don't. But they do have a USB-C port, so a YubiKey 5C NFC will work with both an iPad (through USB-C), hopefully for Blink using gpg-agent (and WebAuthN elsewhere), and with an iPhone via NFC for WebAuthN. This is a very compelling 2FA solution.
USB-C iPads probably don't fully support the Yubikey 5Ci, have a look at the FAQs here: https://github.com/Yubico/yubikit-ios
Full functionality only via Lightning and NFC.
But iPads don’t have NFC at all, do they?
I suppose the idea is that you're not exactly going to be tapping your iPad against a card reader in Starbucks to buy your coffee. ;)
@neffs, I don't know how I missed it.
I need to make some experiments. But with yubikit-ios RAW commands and ObjectivePGP we can add PGP support to our ssh-agent.
Probably easier to just use Yubikit raw directly from libssh2 / ssh-agent. We only need the authentication key. ObjectivePGP doesn‘t support smartcards yet.
@neffs, as far as i'm understanding, I need to convert PGP key to sshkey. Still researching... If you have any good links - please share.
I’m taking over this. I’ve been working with WebAuthn a lot for the last months and I feel like I can make it.
My goal is to make it work with the standard new Safari implementation, as that would ensure we don’t depend on other frameworks and we actually may support other keys. Only issue is that a message like this (“Blink Shell wants to use “localhost” to sign in”) would appear when you create the key and every time you login with that key. Do you think this may become annoying? I think it should be fine and it helps to get ready for the key and all that.
Well, it would be annoying, but it's definitely better than nothing :-)
In general, anybody who cares about security will have their YubiKey in touch-to-confirm mode, so there is always one interaction when logging in. Additionally, one usually unlocks the key once after inserting it.
The above seems like an additional step, but it's much better than not having anything.
I'm not sure what you mean by "when you create the key" — I am hoping this approach will still let me use the YubiKey in my Mac as well.
Very good last point, something to discuss too. So there are two ways to implement SSH keys support, already brought up here, one through PKCS#11 (the interface with smart cards) and the other through the new WebAuthn protocol.
-
PKCS#11 would have to be done through OpenPGP agent or similar. This is no small undertaking and even just the instructions to make it work under any distro are convoluted. Libssh may have implemented something but I'm not sure. Additionally, under the covers iOS will limit what solutions we can have, as just "interfacing through USB" won't work. It is a drivers problem, everything that talks through Lightning requires special approval, and through USBC it isn’t even sure it will work as a smart card. It seems like a lot of work for very little and very niche, only Yubikey supports PKCS#11. The only advantage is that you can, effectively, use the same key if you have all the OpenPGP incantations, in all of your machines.
-
WebAuthn is my favorite option. The protocol is a lot easier, and there is already a library to make it work with OpenSSH (libfido2). On iOS we can make it work with both Safari in a more generic way, with interfaces over NFC, Lightning, USBC and potentially Bluetooth in the future (we could even support other keys and not just Yubikeys). The problem is that as I understand, using the same key on multiple machines depends on having the public information synchronized between those machines. This is unsolved, but easy to do. We could even help at some point to synchronize hosts and public keys in all your devices, including computers.
So that’s the state of things. Feedback is really welcome as I’m deep on this right now.