Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
apt-get install autoconf automake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man

# if not already installed
apt-get install git build-essential


Install the tool:

Code Block
git clone https://github.com/Yubico/yubico-piv-tool.git

cd yubico-piv-tool

autoreconf --install
./configure  --disable-dependency-tracking
make
make install

...

Code Block
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

mkdir -p $PATH_TO_CERTIFICATE
ssh-keygen -D $PATH_TO_YKCS11 -e > $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub



Sign server's RSA key

Code Block
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I server_name \
            -h \
            -n server.netdef.org \
            -V +52w \
            /etc/ssh-ca/ssh_host_rsa_key.pub

...

  • -D
    • is used to access the yubikey
  • -s
    • provides the public certificate to access the yubikey
  • -I server_name
    • The key identifier to include in the certificate.
  • -h
    • Generate a host certificate (instead of a user certificate)
  • -n server.netdef.org
    • The principal names to include in the certificate.
    • For host certificates this is a list of all names that the system is known by.
    • Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
  • -V +52w
    • The validity period.
    • For host certificates, you’ll probably want them pretty long lived.
    • This setting sets the validity period from now until 52 weeks hence.
  • /etc/ssh-ca/ssh_host_rsa_key.pub
    • The path to the host RSA public key to sign.
    • Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.

Sign client's RSA key

Code Block
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I client_name \
            -n root \
            -V +24h \
            /etc/ssh_ca/id_rsa.pub

...