DEVSEC – protecting cicd with yubikey protected ssh keys

About three months ago, I was studying Yubikey for the use of signed git commits and signed merges. During this, I ended up doing a small PoC on loading my Git repo’s SSH key into a secure hard-token instead of leaving it on my local desktop for malware to compromise.

So I took some step-by-step notes in a git README and forgot about it. Months later, I accidentally overwrote my previous SSH key slot with a new key and need to go through this procedure again…

Lucky for me and you…. I took notes to help those who want to do the right thing but just need a little bit of help to make it easy…

And remember to “TOUCH” the Yubikey when executing the selfsign-certificate command.. you’ll lose so many hours enabling verbose logs and tracing back the error to find out your forgot to touch your the Yubikey !!!

I’ve used this illustration before. Essentially, if an attacker or malware gets your git API key or SSH key then they can bypass any SSO + MFA on the web interface. Depending on the permissions tied to those credentials, the attacker may be able to either

  • Poison your source control system or
  • Remotely command and control your build environments.

That could be catastrophic for your development processes and production environments.

If only someone would have made it super easy for you to protect your CICD SSH keys….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s