Versions Compared

Old Version 3

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 4

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To setup the yubikey the yubico-piv-tool is used. It musted be installed from source to work correctly. For the installation the following packages are needed:

Code Block
languagebash
apt-get install autoconf automake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man

# if not already installed
apt-get install git build-essential

Install the tool:

Code Block
languagebash
git clone https://github.com/Yubico/yubico-piv-tool.git

cd yubico-piv-tool

autoreconf --install
./configure  --disable-dependency-tracking
make
make install

...

Then prepare the PIV applet in the YubiKey NEO.

Code Block
languagebash
YUBIKEYNUM=0
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key > yubikey$YUBIKEYNUM.key
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
echo $pin > yubikey$YUBIKEYNUM.pin
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk > yubikey$YUBIKEYNUM.puk

yubico-piv-tool -a set-mgm-key -n $key
yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
yubico-piv-tool -k $key -a change-puk -P 12345678 -N $puk

...

Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smartcard, and do that through the X.509 certificate.

Code Block
languagebash
openssl genrsa -out yubikey$YUBIKEYNUM-key.pem 2048
openssl req -new -x509 -batch -key yubikey$YUBIKEYNUM-key.pem -out yubikey$YUBIKEYNUM-cert.pem

...

You import the key and certificate to the PIV applet as follows:

Code Block
languagebash
yubico-piv-tool -k $key -a import-key -s 9c < yubikey$YUBIKEYNUM-key.pem
yubico-piv-tool -k $key -a import-certificate -s 9c < yubikey$YUBIKEYNUM-cert.pem

...

Extract the public key for the CA:

Code Block
languagebash
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

mkdir -p $PATH_TO_CERTIFICATE
ssh-keygen -D $PATH_TO_YKCS11 -e > $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub

Sign server's RSA key

Code Block
languagebash
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I server_name \
            -h \
            -n server.netdef.org \
            -V +52w \
            /etc/ssh-ca/ssh_host_rsa_key.pub

...

Sign client's RSA key

Code Block
languagebash
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I client_name \
            -n root \
            -V +24h \
            /etc/ssh_ca/id_rsa.pub

...

Reset PIV on Yubikey

Code Block
languagebash
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -areset
yubico-piv-tool -aset-chuid
yubico-piv-tool -aset-ccc

...