add ssh keys from the yubikeys

6 files changed, 71 insertions, 1 deletions

diff --git a/home/profiles/darwin.nix b/home/profiles/darwin.nix
index 53c6ff8..b7d7ae6 100644
--- a/home/profiles/darwin.nix
+++ b/home/profiles/darwin.nix
@@ -37,6 +37,7 @@
     tree
     wget
     wireshark
+    openssh # the version of ssh shipped on MacOS does not support yubikey
     yubikey-manager
   ];
 
diff --git a/home/programs/ssh.nix b/home/programs/ssh.nix
index 004b082..77c4897 100644
--- a/home/programs/ssh.nix
+++ b/home/programs/ssh.nix
@@ -13,25 +13,50 @@
       };
       "rivendell" = {
         hostname = "192.168.1.114";
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
       };
       "riv-unlock" = {
         hostname = "192.168.1.114";
         user = "root";
         port = 911;
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
       };
       "nas" = {
         hostname = "192.168.1.68";
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
+      };
+      "nnas" = {
+        hostname = "192.168.1.68";
+        user = "nas";
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
       };
       "bree" = {
         hostname = "192.168.1.50";
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
       };
       "argonath" = {
         hostname = "fcuny.net";
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
       };
       "github.com" = {
         hostname = "github.com";
         user = "git";
         forwardAgent = false;
+        identityAgent = "none";
+        identitiesOnly = true;
+        identityFile = "~/.ssh/id_ed25519_sk_rk";
         extraOptions = {
           preferredAuthentications = "publickey";
           controlMaster = "no";
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 01b6bcf..96b1461 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -113,7 +113,18 @@
   users = {
     mutableUsers = false;
     users.root.openssh.authorizedKeys.keys = [
+      # 1password
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # YubiKey 5C Nano (personal)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
+      # Yubikey 5C (keychain)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
+      # Yubikey 5C NFC (backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
+      # Yubikey 5C Nano (work)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
+      # Yubikey Security Key C NFC (work, backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
     ];
   };
 
diff --git a/profiles/remote-unlock.nix b/profiles/remote-unlock.nix
index ea211ad..310d52b 100644
--- a/profiles/remote-unlock.nix
+++ b/profiles/remote-unlock.nix
@@ -19,6 +19,18 @@
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
         # key used to automatically unlock
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPr9Dv2MjZoRltmxi21PoS/42KnOhYxuq9r6ER62vjAx"
+        # YubiKey 5C Nano (personal)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
+        # Yubikey 5C (keychain)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
+        # Yubikey 5C (keychain)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
+        # Yubikey 5C NFC (backup)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
+        # Yubikey 5C Nano (work)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
+        # Yubikey Security Key C NFC (work, backup)
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
       ];
     };
   };
diff --git a/profiles/users/admin-user.nix b/profiles/users/admin-user.nix
index 1471ef7..ff389cb 100644
--- a/profiles/users/admin-user.nix
+++ b/profiles/users/admin-user.nix
@@ -12,7 +12,18 @@
     isNormalUser = true;
     hashedPassword = "$y$j9T$U3mXpCzXC1VUp8wV5snJz/$32vTk0KwVXvP/jLO13nMlGPHy0nCe4ZtebdvqU4hwmD";
     openssh.authorizedKeys.keys = [
+      # 1password
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # YubiKey 5C Nano (personal)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
+      # Yubikey 5C (keychain)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
+      # Yubikey 5C NFC (backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
+      # Yubikey 5C Nano (work)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
+      # Yubikey Security Key C NFC (work, backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
     ];
     extraGroups = [
       "wheel"
diff --git a/profiles/users/builder.nix b/profiles/users/builder.nix
index 32f318f..2998c19 100644
--- a/profiles/users/builder.nix
+++ b/profiles/users/builder.nix
@@ -4,10 +4,20 @@
 
   users.users.builder = {
     openssh.authorizedKeys.keys = [
-      # my personal key
+      # 1password
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
       # remote builder ssh key
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
+      # YubiKey 5C Nano (personal)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
+      # Yubikey 5C (keychain)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
+      # Yubikey 5C NFC (backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
+      # Yubikey 5C Nano (work)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
+      # Yubikey Security Key C NFC (work, backup)
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
     ];
     isNormalUser = true;
     group = "nogroup";