From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: smajor@gmail.com
Received: from krantz.zx2c4.com (localhost [127.0.0.1])
 by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5e1024c1
 for <wireguard@lists.zx2c4.com>;
 Sun, 12 Nov 2017 23:14:36 +0000 (UTC)
Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49])
 by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b602e896
 for <wireguard@lists.zx2c4.com>;
 Sun, 12 Nov 2017 23:14:36 +0000 (UTC)
Received: by mail-wm0-f49.google.com with SMTP id 9so6322290wme.4
 for <wireguard@lists.zx2c4.com>; Sun, 12 Nov 2017 15:18:30 -0800 (PST)
MIME-Version: 1.0
From: Stephen Major <smajor@gmail.com>
Date: Sun, 12 Nov 2017 15:18:28 -0800
Message-ID: <CALzTOmLS-RYnns4xPpDSA6zaDBFhXqgL02n7PjzZjZMM4y0pPg@mail.gmail.com>
Subject: Hardware based two factor authentication
To: wireguard@lists.zx2c4.com
Content-Type: multipart/alternative; boundary="f403045c297e1b406e055dd15f47"
List-Id: Development discussion of WireGuard <wireguard.lists.zx2c4.com>
List-Unsubscribe: <https://lists.zx2c4.com/mailman/options/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=unsubscribe>
List-Archive: <http://lists.zx2c4.com/pipermail/wireguard/>
List-Post: <mailto:wireguard@lists.zx2c4.com>
List-Help: <mailto:wireguard-request@lists.zx2c4.com?subject=help>
List-Subscribe: <https://lists.zx2c4.com/mailman/listinfo/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=subscribe>

--f403045c297e1b406e055dd15f47
Content-Type: text/plain; charset="UTF-8"

This is a two-fold question:


1) Can Wireguard be used directly with Yubikeys: https://www.yubico.com

2) Can Wireguard be used with a radius server like GreenRADIUS:
http://www.greenrocketsecurity.com/greenradius/

--f403045c297e1b406e055dd15f47
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">This is a two-fold=C2=A0question:<div><br></div><div><br><=
/div><div>1) Can Wireguard=C2=A0be used directly with=C2=A0Yubikeys:=C2=A0<=
a href=3D"https://www.yubico.com">https://www.yubico.com</a></div><div><br>=
</div><div>2) Can Wireguard=C2=A0be used with a radius server like GreenRAD=
IUS:<a href=3D"http://www.greenrocketsecurity.com/greenradius/">http://www.=
greenrocketsecurity.com/greenradius/</a></div><div>=C2=A0</div></div>

--f403045c297e1b406e055dd15f47--

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: geokozey@mailfence.com
Received: from krantz.zx2c4.com (localhost [127.0.0.1])
 by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1043f6f4
 for <wireguard@lists.zx2c4.com>;
 Mon, 13 Nov 2017 12:13:55 +0000 (UTC)
Received: from wilbur.contactoffice.com (cinderella.contactoffice.com
 [212.3.242.69])
 by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ff9b7e95
 for <wireguard@lists.zx2c4.com>;
 Mon, 13 Nov 2017 12:13:54 +0000 (UTC)
Date: Mon, 13 Nov 2017 13:17:50 +0100 (CET)
From: Geo Kozey <geokozey@mailfence.com>
To: Stephen Major <smajor@gmail.com>, wireguard@lists.zx2c4.com
Message-ID: <332327830.119976.1510575470630@ichabod.co-bxl>
In-Reply-To: <CALzTOmLS-RYnns4xPpDSA6zaDBFhXqgL02n7PjzZjZMM4y0pPg@mail.gmail.com>
References: <CALzTOmLS-RYnns4xPpDSA6zaDBFhXqgL02n7PjzZjZMM4y0pPg@mail.gmail.com>
Subject: Re: Hardware based two factor authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Reply-To: Geo Kozey <geokozey@mailfence.com>
List-Id: Development discussion of WireGuard <wireguard.lists.zx2c4.com>
List-Unsubscribe: <https://lists.zx2c4.com/mailman/options/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=unsubscribe>
List-Archive: <http://lists.zx2c4.com/pipermail/wireguard/>
List-Post: <mailto:wireguard@lists.zx2c4.com>
List-Help: <mailto:wireguard-request@lists.zx2c4.com?subject=help>
List-Subscribe: <https://lists.zx2c4.com/mailman/listinfo/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=subscribe>

November 13, 2017 12:18:28 AM CET Stephen Major <smajor@gmail.com> wrote:
>This is a two-fold=C2=A0question:
>
>1) Can Wireguard=C2=A0be used directly with=C2=A0Yubikeys:=C2=A0https://ww=
w.yubico.com
>
>2) Can Wireguard=C2=A0be used with a radius server like GreenRADIUS:http:/=
/www.greenrocketsecurity.com/greenradius/
=C2=A0
In case of [1] you can store wireguard keys in pass (https://www.passwordst=
ore.org) database which is encrypted using yubikey smartcard  mode. See exa=
mple setup https://www.palkeo.com/sys/perfect-password-manager.html

Then you can add below command to your wg config, see https://git.zx2c4.com=
/WireGuard/about/src/tools/wg-quick.8:

PostUp =3D wg set %i private-key <(pass WireGuard/private-keys/%i)


Yours sincerely

G. K.