Recently, I decided to give FIDO2-backed ssh keys a go for work and personal use. The theoretical benefits of keeping your private keys secure and irretrevable are pretty compelling in certain use cases.
Background on the Issues with Yubikeys and SSH on MacOS
With modern versions of OpenSSH (8.3+), you can use SSH keys stored in a modern Yubikey that supports FIDO2 (specifically FIDO 2.1 for credProtect, which early versions of Yubikey 5 did not support). This allows you to use the key in an attached Yubikey to authenticate to remote SSH servers, including Linux, GitHub and anything that supports ed25519-sk and ecdsa-sk keytypes (essentially ed25519 and ecdsa keys in a Yubikey or other hardware device). For their own reasons, Apple has the MacOS bundled versions of OpenSSH (including ssh-keygen and ssh-agent) built with support for this disabled (including as of November 2024 with MacOS Sequoia 15.1.1). We can get around this by installing the clients via Homebrew.
I’ve setup this website on a FreeBSD droplet on Digital Ocean. I want to start off by saying that DO is a wicked cool service that is both relatively cheap, quick, and slick.
However, there’s currently a problem with their FreeBSD droplets. I’m getting some bad packet loss which is killing the performance of the service, which is why the website is taking so long to load. It’s a known issue that they’re working on but they can’t/won’t give me a timeframe. They’ve given me a free 3 month credit, so I’m going to wait it out for another month or so before switching to an Ubuntu image.
Well it’s been years, but I’ve finally gotten around to blogging again. I’ve decided on Hugo as my blogging platform and I’m hosting it on a Digital Ocean FreeBSD droplet.
I’ve also backported a couple of posts from previous blogs that I’ve ran. Let’s see how this goes.
1
2
3
4
5
6
|
$ sudo -s
Password:
Your mind just hasn't been the same since the electro-shock, has it?
Password:
stty: unknown mode: doofus
Password:
|
A list of differences I noticed between Korea and Canada that I noted while there on business.
On Sunday, Andrie and I took a trip out the the DMZ with North Korea. Unfortunately the JSA was closed that day, so we didn’t get to see any North Korean Soldiers up close.
It’s still a very weird place. Driving up to it the river Imjin straddles the highway. Since it flows from North Korea, they’ve fenced it off halfway to Seoul and there are armed guard towers every few hundred metres. Once you get to the outskirts of the DMZ you have to switch to a special tour bus. Photography going forward is extremely limited. I was only allowed to take pictures from specific approved areas. Driving to our first stop, you have to go through a checkpoint where South Korean soldiers come on and check all the passports of the tourists. After this the bus goes on a bridge and zig-zag around barriers.
Well I’m currently blogging from South Korea!
Seoul is a pretty intense place, and we’ve only explored it in tiny amounts so far. After a brutal 18 hours in airports and planes we arrived in the early evening. I was surprised that my CDMA blackberry roams here (no data though). So I didn’t need to rent a handset. The airport was overall very efficient and we were out within 30 minutes after landing, which was a nice reminder on how horrible and inefficient most Canadian airprots are (as well as Canadian Border Control). A quick bus ride to our hotel and we ventured out to the small roads behind our hotel, where we found a local korean grill house. For those who don’t know, many korean restaurants actually bring the raw meats to you and they are cooked in front of you on a gas grill. The meats are marinated and absolutely delicious.
I’m currently on a VIA train heading home. Since Angelo bought the wifi service for the day and then just went to sleep, he let me use it. It’s almost useable (AJAX tends barf on it). It’s uplink is via satellite.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
hylarides:~ hylaride$ ping www.google.ca
PING www.l.google.com (64.233.161.104): 56 data bytes
64 bytes from 64.233.161.104: icmp_seq=0 ttl=240 time=1031.102 ms
64 bytes from 64.233.161.104: icmp_seq=1 ttl=240 time=1131.279 ms
64 bytes from 64.233.161.104: icmp_seq=2 ttl=240 time=4449.298 ms
64 bytes from 64.233.161.104: icmp_seq=6 ttl=240 time=1692.930 ms
64 bytes from 64.233.161.104: icmp_seq=3 ttl=240 time=4730.675 ms
64 bytes from 64.233.161.104: icmp_seq=4 ttl=240 time=4203.077 ms
64 bytes from 64.233.161.104: icmp_seq=5 ttl=240 time=4004.036 ms
64 bytes from 64.233.161.104: icmp_seq=8 ttl=240 time=1236.735 ms
64 bytes from 64.233.161.104: icmp_seq=10 ttl=240 time=1667.189 ms
^C
--- www.l.google.com ping statistics ---
15 packets transmitted, 9 packets received, 40% packet loss
round-trip min/avg/max/stddev = 1031.102/2682.925/4730.675/1513.236 ms
|