Roadmap
Client
- Self update
- Check for new version
- Download and install new version
- Periodic check for new version and notify user
- Config file
- Using PIN policy
- Ask user for PIN
- Store PIN in OS keyring
- Using touch policy
- Using setup profile from server
- Initial setup
- Full reset and setup
- Partial setup (only secure keys)
Agent
- SSH Agent
- Check for correct source requester to unix socket (deny access from another user)
- External ssh-keys (add via
ssh-add) - RPC Server for cuncurrent access to Yubikey
- Write audit log
OS Support
- MacOS
- Arch: amd64
- Arch: arm64
- Using
launchdfor agent - Using keychain for storing PIN and PUK
- Linux
- Arch: amd64
- Arch: arm64
- Using
systemdfor agent - Debian based distributions
- Windows (not sure if this support is needed at all... I don't have a place to test it)
Yubikey
- Reset Yubikey to factory defaults
- Reset PIV applet
- Reset OTP applet
- Reset FIDO2 applet
- Change PIN
- Change PUK
- Unlock PIN using PUK
- Rotate insecure keys
- Rotate secure keys
- Enable/disable interfaces for USB/NFC (OTP, PIV, FIDO2, FIDO U2F, OATH, OpenPGP, ...)
Keys (PIV applet)
- Insecure RSA 2048 (static key)
- Insecure ECC P-256/P-384 (static key)
- Secure RSA 2048 (certificate based key with CA)
- Secure ECC P-256/P-384 (certificate based key with CA)
- PIV Certificates
- Authentication
- Digital Signature
- Key Management
- Card Authentication
RoboClient
SSH Agent without using Yubikey. Based on short lived certificates (for example: 1 day).
Usage: give access to server for robots (CI/CD, backup, automation,...)
- Config file
- SSH Agent
Server
- CA Server (PKI)
- Serve setup profiles for clients
- OTP Validation Server
- Validate user key ownership
- Validate OTP
- Validate OTP with YubiCloud
- Audit log
- User directory
- User management
- Sync from external directory (LDAP, Active Directory, scripts, ...)
- Support YubiHSM 2 (please, donate one or two to me)
Test SSH Server
Usage: test SSH Agent and Yubikey
Radius Server
Usage: give access to network for users