-
-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple Yubikeys and load all slots #27
Conversation
Fixes TODO.
Based on comment in main ticket I suspect my PR doesn’t handle if key can’t be read. Weird because I only have two certificates and it works for me. Will need to look at this if I can find a problem. Perhaps it’s ok if slot 9a has a valid certificate and others get ignored. EDIT: no, I can't find a problem. |
I noticed that I had forgotten to commit the private key part of my change for supporting alternate key slots. With the older version the code failed to sign as it tried to use the first slot private key with the public key of the other slots. |
EDIT: I need to get some sleep, looks like. Earlier timings were wrong because the faster sign-in failed. D'oh. Before caching signers (retrieving all 4 certificates):
After caching signers, showing significant speedup:
|
Just to update this PR status. I'm hoping to get feedback whether it's welcome to support multiple slots per key. This PR supports both multiple slots and multiple keys - which arguably could be split to separate PRs. Personally I only care about the multiple slots - I'm happy to rebase and improve based on review comments. I won't rebase only for the multiple Yubikeys. I can rebase the multiple slots after receiving some feedback what are the conditions to get that merged, and if possible, I'd welcome some help getting consistent benchmarks so we know if adding multiple slot support degrades performance for most users or not. I don't mind at all if someone picks the multiple yubikeys part of this PR and makes a cleaned up and new PR on it. I will not. |
My 2c: multiple slots has the most straightforward use-case (as per #22), and I don't understand the use-case for multiple keys. |
Let me rebase and start again, including only "load all slots". |
@joneskoo @smlx For what it is worth, I actually think support for multiple YubiKeys would be stellar. One use case: I keep a YubiKey 5c nano in my macbook as long as I'm at home or in the office; it is convenient and easy. But, I maintain slightly higher security by keeping a separate YubiKey 5c NFC for more sensitive credentials / services / systems. You could also easily picture not wanting to intermingle identities / credentials related to personal projects and work projects, but occasionally wanting to log in to a personal system from work. |
Fixes #22