[03:48:07] <apergos>	 just a fyi about perforce and puppet   https://fosstodon.org/@genebean/113664863697232378
[14:04:33] <andrewbogott>	 Is anyone using either fuse.js or minisearch? I want to stick a search engine on a static site, seeking opinions and/or deployment methods.
[15:14:08] <Lucas_WMDE>	 I’m looking into setting up my new yubikey (having lost the old one, see I78c24de34f) and am wondering which SSH option to go for
[15:14:19] <Lucas_WMDE>	 (I hope it’s okay to ask about that here if there isn’t an emergency at the moment)
[15:14:19] <cdanis>	 what OS?
[15:14:22] <Lucas_WMDE>	 arch linux
[15:14:32] <Lucas_WMDE>	 IIUC, there are up to three options – GPG, FIDO, PIV
[15:14:50] <cdanis>	 tbh I would probably still do the GPG option, it's the most configurable, does support ed25519 nowadays
[15:14:55] <Lucas_WMDE>	 oh, it does?
[15:15:01] <Lucas_WMDE>	 I thought I needed FIDO (or PIV) for that
[15:15:15] <cdanis>	 if it's a yubikey shipped within the past 2+ years it works on GPG
[15:15:28] <cdanis>	 just a few more setup steps
[15:15:36] <cdanis>	 with FIDO you'll need to touch every time
[15:15:48] <cdanis>	 (and with GPG you can toggle that off and on)
[15:15:59] <Lucas_WMDE>	 touch every time is what I want, I think ^^
[15:16:04] <Lucas_WMDE>	 (as long as it caches it for 15 seconds)
[15:16:07] <cdanis>	 it doesn't :)
[15:16:17] <Lucas_WMDE>	 so, two touches for every login? bastion + host?
[15:16:29] <cdanis>	 yeah
[15:16:37] <Lucas_WMDE>	 hm, that does sound annoying
[15:17:06] <cdanis>	 `ControlMaster auto` and friends can help with that, but ofc that also changes the security profile
[15:17:35] <cdanis>	 anyway with FIDO by default sshds (not just your client) will always require a touched token 
[15:17:49] <cdanis>	 with GPG you can reconfigure the key to require touch or to not
[15:18:01] <Lucas_WMDE>	 yeah I set ControlPath none for prod stuff
[15:18:10] <Lucas_WMDE>	 ok…
[15:18:20] <taavi>	 i'm running FIDO and can confirm the double tap is rather annoying
[15:18:25] <Lucas_WMDE>	 and the way to do it is still to generate the key on the computer and then move it to the yubikey?
[15:18:43] <taavi>	 plus fido requires bullseye or newer so you need to still have a "traditional" key for the few buster hosts we have
[15:19:18] <Lucas_WMDE>	 I feel like that’s probably not relevant for me?
[15:19:23] <Lucas_WMDE>	 but I can’t currently ssh to deploy1003 et al. to check :D
[15:20:00] <cdanis>	 I don't have a strong feeling about where you generate the key
[15:22:25] <taavi>	 deploy boxes seem to be bullseye
[15:32:33] <Lucas_WMDE>	 is there a guide for the ed25519 GPG option somewhere?
[15:32:50] <Lucas_WMDE>	 I found https://musigma.blog/2021/05/09/gpg-ssh-ed25519.html so far but it’s not clear to me if I’m supposed to use this with my existing RSA GPG key or totally separate
[15:33:01] <Lucas_WMDE>	 (since https://wikitech.wikimedia.org/wiki/Yubikey-SSH step 7 starts with --edit-key for an existing key)
[15:34:06] <cdanis>	 my take is that OpenGPG keys as they were originally intended are not relevant in 2024 😇 but that's probably not the answer you're looking for
[15:34:14] <Lucas_WMDE>	 ah, addkey + 11 (ECC own caps) seems to let me select Curve 25519 which I assume is ed25519
[15:34:39] <cdanis>	 correct, and you want authentication subtype
[15:35:48] <Lucas_WMDE>	 mhm
[15:39:24] <Lucas_WMDE>	 anyone wanna review https://gerrit.wikimedia.org/r/c/operations/puppet/+/1105021 ? ^^
[15:39:30] <Lucas_WMDE>	 (I already set the touch policy to AUT CACHED)
[15:39:42] <Lucas_WMDE>	 I don’t know if there’s anything else I can test without the key being configured in puppet
[15:40:06] <Lucas_WMDE>	 (the ssh-add -L command only lists the key when the yubikey is plugged in, so I think I correctly moved it out of gpg)
[15:48:13] <Lucas_WMDE>	 added it to the puppet request window now, hopefully I’ll be able to join in time