{"id":13513018,"url":"https://github.com/DataDog/yubikey","last_synced_at":"2025-03-31T00:30:45.900Z","repository":{"id":37979412,"uuid":"119881265","full_name":"DataDog/yubikey","owner":"DataDog","description":"## Auto-archived due to inactivity. ## YubiKey at Datadog","archived":true,"fork":false,"pushed_at":"2024-02-01T09:20:31.000Z","size":288,"stargazers_count":495,"open_issues_count":10,"forks_count":36,"subscribers_count":536,"default_branch":"master","last_synced_at":"2025-03-02T18:53:42.651Z","etag":null,"topics":["datadog","docker","git","gpg","ssh","vmware-fusion","yubikey"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DataDog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2018-02-01T19:14:27.000Z","updated_at":"2025-02-17T12:01:14.000Z","dependencies_parsed_at":"2024-01-03T02:42:52.732Z","dependency_job_id":"de8c379c-8d61-4189-bcc1-372064c67989","html_url":"https://github.com/DataDog/yubikey","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fyubikey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fyubikey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fyubikey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fyubikey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DataDog","download_url":"https://codeload.github.com/DataDog/yubikey/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246399816,"owners_count":20770907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["datadog","docker","git","gpg","ssh","vmware-fusion","yubikey"],"created_at":"2024-08-01T04:00:36.353Z","updated_at":"2025-03-31T00:30:45.450Z","avatar_url":"https://github.com/DataDog.png","language":"Shell","readme":"# ⚠️ Repository Deprecated ⚠️\nNotice: This code repository is no longer maintained or updated. The content and code are provided as-is, and may no longer be relevant or functional.\n\nFor Datadog employee, see the \"commit signing setup guide\" in Confluence instead_\n\n# YubiKey at Datadog\n\n- [Summary](#summary)\n- [Estimated burden and prerequisites](#estimated-burden-and-prerequisites)\n- [U2F](#u2f)\n- [GPG](#gpg)\n- [git](#git)\n- [SSH](#ssh)\n- [Reset](#reset)\n- [Troubleshooting](#troubleshooting)\n- [Optional](#optional)\n- [References](#references)\n\n## Summary\n\nGPG is useful for authenticating yourself over SSH and / or GPG-signing your\ngit commits / tags. However, without hardware like the\n[YubiKey](https://www.yubico.com/products/yubikey-hardware/), you would\ntypically keep your GPG private subkeys in \"plain view\" on your machine, even\nif encrypted. That is, attackers who personally target\n[[1](https://www.kennethreitz.org/essays/on-cybersecurity-and-being-targeted),\n[2](https://bitcoingold.org/critical-warning-nov-26/),\n[3](https://panic.com/blog/stolen-source-code/),\n[4](https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/)] you\ncan compromise your machine can exfiltrate your (encrypted) private key, and\nyour passphrase, in order to pretend to be you.\n\nInstead, this setup lets you store your private subkeys on your YubiKey.\nActually, it gives you much stronger guarantees: you *cannot* authenticate over\nSSH and / or sign GPG commits / tags *without*: (1) your YubiKey plugged in and\noperational, (2) your YubiKey PIN, and (3) touching your YubiKey. So, even if\nthere is malware trying to get you to sign, encrypt, or authenticate something,\nyou would almost certainly notice, because your YubiKey will flash, asking for\nyour attention. (There is the \"[time of check to time of\nuse](https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use)\" issue,\nbut that is out of our scope.)\n\n## Estimated burden and prerequisites\n\n\u003cs\u003eAbout 2-3 hours.\u003c/s\u003e 15 minutes could save you 15% or more on cybersecurity\ninsurance.\n\nYou will need macOS with [Homebrew](https://brew.sh/) / Ubuntu / Archlinux, a password manager, and a\n[YubiKey 5](https://www.yubico.com/products/yubikey-hardware/).\n\n## U2F\n\n**STRONGLY recommended:** configure U2F for\n[GitHub](https://help.github.com/articles/configuring-two-factor-authentication/#configuring-two-factor-authentication-using-fido-u2f)\nand\n[Google](https://support.yubico.com/hc/en-us/articles/360013717460-Using-Your-YubiKey-with-Google).\n\n## GPG\n\n**Please read and follow all of the instructions carefully.**\n\n```bash\n$ ./gpg.sh\n```\n\n(Protip: set `TEMPDIR=1` when preparing YubiKey for someone else to avoid\npolluting your default GPG homedir.)\n\n## git\n\n**STRONGLY RECOMMENDED:** signing your git commits and tags.\n\nYou **must** first set up [GPG](#gpg).\n\nThen, to sign git commits and tags for a _particular_ repository:\n\n```bash\n$ ./git.sh /path/to/git/repository\n```\n\nOr, to sign git commits and tags for _all_ repositories:\n\n```bash\n$ ./git.sh\n```\n\n## SSH\n\n**NOT recommended** for most users. This script sets up your YubiKey as the holder of your SSH key,\nhelping to prevent it from being leaked or stolen. The script will take control of `ssh-agent`, so\nit's not particularly compatible with other SSH keys - you should only run this if you intend to use\nthis as your only SSH key on the machine you're using.\n\nWith this setup, you'll need to enter a PIN to unlock the key every 24 hours and then physically touch the\nkey when it blinks (i.e. every time you SSH or push/pull Git). If you don't touch the key, the request will\ntimeout and you'll get an unhelpful message.\n\nThis is compatible with usage on remote machines over SSH\n(it will set up agent forwarding to use the key remotely; touch is required on each action).\n\nYou **must** have first set up [GPG](#gpg). Then:\n\n```bash\n$ ./ssh.sh\n```\n\n## Reset\n\nIf you need to reset YubiKeys, you may use the following script. The script looks for every plugged YubiKey,\nand shows a menu to reset one specific key, or all of them.\n**Please read and follow all of the instructions carefully. YOU WILL NOT BE ABLE TO RETRIEVE KEYS/DATA FROM THE YUBIKEY AFTER COMPLETION.**\n\n```bash\n$ ./reset.sh\n```\n\n## Troubleshooting\n\nGo [here](docs/troubleshooting.md) for troubleshooting common issues such as unblocking a blocked card, error when pulling or pushing with git over SSH, and rebasing with git.\n\n## Optional\n\nGo [here](docs/optional.md) for support on optional bits such as configuring a computer to use an already configured YubiKey, signing for different git repositories with different keys, Keybase, VMware Fusion, and Docker Content Trust.\n\n## References\n\n1. [YubiKey Handbook](https://ruimarinho.gitbooks.io/yubikey-handbook/content/openpgp/)\n\n2. [A Git Horror Story: Repository Integrity With Signed Commits](https://mikegerwitz.com/papers/git-horror-story)\n\n3. [Welp, there go my Git signatures](http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/)\n\n4. [[Bitcoin-development] PSA: Please sign your git commits](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2014-May/005877.html)\n","funding_links":[],"categories":["Configuration Guides","Shell","Security","Password-less auth","Credentials"],"sub_categories":["Proxy","Security key","Tokens"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDataDog%2Fyubikey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDataDog%2Fyubikey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDataDog%2Fyubikey/lists"}