I'm betting the answer here is "this isn't possible" but if anyone knows how to tell OpenSSH that when it's enumerating pubkeys it should check which of the two known authentication dongles is actually plugged into the computer, and only prompt me to unlock the SK key that belongs to that dongle, not both of them, please tell me how.
Recent searches
Search options
#yubikey
2 posts2 participants0 posts today
Explain #passkeys to me like I'm your grandparents.
Does anyone have experience with either #Yubikey, #Nitrokey or any other hardware security token for both #MFA/#2FA as well as #encryption via #PGP/#GPG or #SMIME?
In particular, I am looking at the Nitrokey 3A NFC. As far as I can tell, Yubico only sells #MFA tokens(?), unless the YubiKey 5 FIPS Series can hold encryption keys as well?
Both price and open hardware aspect definitely speak for Nitrokey, but I do not know anyone who owns such a token... Anyone who I can talk to?
shop.nitrokey.comNitrokey 3A NFC
TIL that Pure Storage issues YubiKeys branded with their logo!
(eBay, not my listing:)
https://www.ebay.com/itm/135898756327
Interesting: Just over the side of the logo, the phrase "NO NFC" is seen (not sure if an add-on label, or part of the logo). NFC-enabled keys ship with NFC disabled by default until first power-up (and can be re-disabled in ykman -R / --restrict option):
https://www.yubico.com/getting-started/
... so I'm not sure if this means NFC is permanently disabled, but it seems likely. Will update when I get one.
Fuck #Authy. Fuck it in it's stupid ass. They got rid of the desktop version. Fine. It sucks, but I could deal with it. Then they dropped support for #GrapheneOS. Meaning I'm locked out of everything. Luckily I have a #YubiKey so I can get into most things. I guess it's time to move to something else.
I realized I didn't wear #yubikey on chain on my neck for 8 days (because of circumstances). And this is absolutely record for me, it was never so long until now!
Does it mean I have a problem? 
I have it on me now. I couldn't feel so... naked? without armor? anymore.
So, #passkey question:
Is it possible that a web site that has been supporting YubiKeys for a while would automatically support Safari’s and 1Password’s passkeys, by means of it being webauthn in both cases, or at least appear to support them, even if it fails later?
That would explain some of the ignorance of customer service agents when you point out how their passkey implementation is broken.
Replied in thread
@Linux there are 3 big options you forgot that I know of which too ain't under #Cloudact aka. have no subsidiary/office/parent company in the #USA:
- @monocles (email, messaging, managed #nextcloud hosting)
- @Stuxhost (eMail & @nextcloud )
- @nitrokey (a better alternative to @yubico / #Yubikey)
And for #PasswordManagers, there's also #Enpass for those that don't like #KeePassXC / #KeepPassDX / #KeePass and for organizations there's even #Passbolt as a centrally manageable solution. All of these allow #SelfCustody & #SelfHosting on-premise.
Mein #yubikey wird in #keepassxc nicht mehr erkannt bzw erkannt aber nicht mehr gelesen. 
#PCSC läuft. Hab das auch nochmal neu installiert. Aber hat nichts gebracht.
Hat jemensch eine Idee wie ich das fixen könnte? 
#eh22
![(base) robin@ms-li-n-16-013:~> keepassxc
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
YubiKey: Failed to establish PCSC context.
YubiKey: PCSC interface is disabled or not initialized.
(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.service
[sudo] password for root:
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Sat 2025-04-19 11:24:06 CEST; 1min 10s ago
Invocation: 9329d05718c84027830ea578a2c56af5
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 5026 (pcscd)
Tasks: 5 (limit: 18884)
CPU: 56ms
CGroup: /system.slice/pcscd.service
└─5026 /usr/sbin/pcscd --foreground
Apr 19 11:24:06 ms-li-n-16-013 systemd[1]: Started PC/SC Smart Card Daemon.
(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.socket
● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; preset: enabled)
Active: active (running) since Sat 2025-04-19 11:22:07 CEST; 3min 28s ago
Invocation: 5770cc7bcaed47f89f130f1d47cd9826
Triggers: ● pcscd.service
Listen: /run/pcscd/pcscd.comm (Stream)
CGroup: /system.slice/pcscd.socket
Apr 19 11:22:07 ms-li-n-16-013 systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.](https://assets.chaos.social/media_attachments/files/114/363/943/390/192/001/original/7e989322ff605ce6.png "(base) robin@ms-li-n-16-013:~> keepassxc
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
YubiKey: Failed to establish PCSC context.
YubiKey: PCSC interface is disabled or not initialized.
(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.service
[sudo] password for root:
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Sat 2025-04-19 11:24:06 CEST; 1min 10s ago
Invocation: 9329d05718c84027830ea578a2c56af5
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 5026 (pcscd)
Tasks: 5 (limit: 18884)
CPU: 56ms
CGroup: /system.slice/pcscd.service
└─5026 /usr/sbin/pcscd --foreground
Apr 19 11:24:06 ms-li-n-16-013 systemd[1]: Started PC/SC Smart Card Daemon.
(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.socket
● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; preset: enabled)
Active: active (running) since Sat 2025-04-19 11:22:07 CEST; 3min 28s ago
Invocation: 5770cc7bcaed47f89f130f1d47cd9826
Triggers: ● pcscd.service
Listen: /run/pcscd/pcscd.comm (Stream)
CGroup: /system.slice/pcscd.socket
Apr 19 11:22:07 ms-li-n-16-013 systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.")
![(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Sat 2025-04-19 11:24:06 CEST; 9min ago
Invocation: 9329d05718c84027830ea578a2c56af5
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 5026 (pcscd)
Tasks: 5 (limit: 18884)
CPU: 258ms
CGroup: /system.slice/pcscd.service
└─5026 /usr/sbin/pcscd --foreground
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000055 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00248831 ../src/winscard_svc.c:404:ContextThread() Communication protocol mismatch!
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000138 ../src/winscard_svc.c:406:ContextThread() Client protocol is 4:4
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000008 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00359199 ../src/winscard_svc.c:404:ContextThread() Communication protocol mismatch!
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000026 ../src/winscard_svc.c:406:ContextThread() Client protocol is 4:4
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000003 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:48 ms-li-n-16-013 pcscd[5026]: 00609843 ../src/winscard_svc.c:404:ContextThread() Communication protoco](https://assets.chaos.social/media_attachments/files/114/363/943/384/044/245/original/b928b23615b56bea.png "(base) robin@ms-li-n-16-013:~> sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Sat 2025-04-19 11:24:06 CEST; 9min ago
Invocation: 9329d05718c84027830ea578a2c56af5
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 5026 (pcscd)
Tasks: 5 (limit: 18884)
CPU: 258ms
CGroup: /system.slice/pcscd.service
└─5026 /usr/sbin/pcscd --foreground
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000055 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00248831 ../src/winscard_svc.c:404:ContextThread() Communication protocol mismatch!
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000138 ../src/winscard_svc.c:406:ContextThread() Client protocol is 4:4
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000008 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00359199 ../src/winscard_svc.c:404:ContextThread() Communication protocol mismatch!
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000026 ../src/winscard_svc.c:406:ContextThread() Client protocol is 4:4
Apr 19 11:29:47 ms-li-n-16-013 pcscd[5026]: 00000003 ../src/winscard_svc.c:408:ContextThread() Server protocol is 4:5
Apr 19 11:29:48 ms-li-n-16-013 pcscd[5026]: 00609843 ../src/winscard_svc.c:404:ContextThread() Communication protoco")
If you are looking for a good password manager you can use from anywhere, there are plenty of excellent options to choose from. However, if you prefer to only store your passwords locally, KeePassXC is what you need. In our latest tutorial, we'll walk through setting up KeePassXC to work with your YubiKey as an additional factor to secure your local-only password database.
https://www.privacyguides.org/articles/2025/03/18/installing-keepassxc-and-yubikey/
www.privacyguides.org · KeePassXC + YubiKey: How to set up a local-only password manager
More from 
Em 
New tutorial on how to connect to SFTP with private key stored on #YubiKey https://docs.cyberduck.io/tutorials/sftp_publickeyauth_yubikey/
docs.cyberduck.ioConfigure Public Key Authentication for SFTP using yubikey-agent — Cyberduck Help documentation
New Privacy Guides article 
by me:
If you are using a YubiKey,
you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.
This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.
I hope you find it helpful!
https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/
Always remember, when it comes to hardware security keys: Two is one, one is none.
Our latest article covers the setup process for two YubiKeys (from Yubico's YubiKey 4 or 5 series) to keep your online accounts safe and secure 
+ it goes through resetting your existing keys to a blank slate, and the reasons you might want to do so!
https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/
www.privacyguides.org · How to Reset Your YubiKey and Create a Backup
More from Em
People who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) #YubiKey #YubiKeys #FIDO #FIDO2 #FIDOKey #FIDOKeys #Security
Replied in thread
Replied in thread
@juancnuno files are too easy to exfiltrate; give me a hardware key! #yubikey