Gingivitis has been eroding the gum line of this great nation long enough and must be stopped. For too long this country has been suffering a great moral and oral decay, in spirit and incisors. A countries future depends on its ability to bite back. We can no longer be a nation indentured. Our very salivation is at stake.
SM boards with dedi and shared phy for ipmi are usually defaulted to auto mode. I think first interface it can arp for the gateway on wins (or maybe dedi then shared).
I've had good experiences with Yubikeys thus far. I still have two of the Symantec VIP tokens from years ago that I've never had issues with. I recently bought a Neo to test out NFC (NFC support on the HTC 10 seems deplorable for smart card reading btw). I also purchased a few 4c tokens and so far they've worked great although I haven't been using them for very long.
The gotchas I've encountered while using them on OSX:
- The pins for PIV and OpenPGP are separate as these are separate modules on the card.
- You can't use the PIV or NEO GUI managers and gpg at the same time. You might have to unplug and plug the token
back in when switching back and forth between GUI/cmdline Yubico tools and gpg.
- Forgetting to change my environment to use gpg-agent instead of ssh-agent.
- Typing in my local password instead of the PIV pin when logging into OSX while I have a token with PIV enabled
plugged in.
For people asking about backing up material on OpenPGP modules: these are write only. Generate your material locally with gpg instead of generating them on the smart card itself and use the keytocard command to copy the keys to the card. You can backup your keyring prior to moving keys and restore it before copying keys to each card or ctrl c out of gpg without saving the keyring references for the material that was moved to the smart card.
I used bits and pieces from a few guides to get the setup I wanted as this was my first experience with smart cards and advanced use of pgp:
Overview of my process (on an air gapped machine):
- Configure gpg.conf.
- Generate master, subkey, and revocation material on an encrypted USB drive for offline backup of materia
along with revocation certificates.
- Backup original .gnupg directory to another folder on the encrypted USB drive.
- Copy .gnupg directory to second encrypted USB drive for offsite backup.
- For each smart card I wanted the same material on:
-- Change default user and admin pins.
-- keytocard subkeys for (S)ign, (E)ncrypt, (A)uthenticate (without saving keyring).
-- Require local touch for all material ( Yubico specific: https://developers.yubico.com/PGP/Card_edit.html ).
-- move on to next card.
-- save keyring after running keytocard on the last card so the subkey material no longer exists in the local keyring, only
references to it (this might not be necessary, I need to test).
- Generate a copy of the keyring without master key to use on daily machine(s). Might also only need to have the master
material minus the key in the keyring as noted above. I haven't tested how
- Copy new keyring to another USB drive for transferring to daily machine(s).
- Configure gpg-agent.conf and gpg.conf on daily machine.
Resetting the applet if you messed up or want to start fresh:
