...
The output of 'generate_host_certificate.sh''HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.
...
7 - Troubleshooting
Export public key
| Code Block |
|---|
|
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D PATH_TO_YKCS11 -e |
Reset PIV on Yubikey
| Code Block |
|---|
|
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -areset
yubico-piv-tool -aset-chuid
yubico-piv-tool -aset-ccc |
Viewing an SSH certificate
| Code Block |
|---|
ssh-keygen -L -f hello_world-cert.pub
hello_world-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com host certificate
Public key: RSA-CERT SHA256:diEzE7FgTzHHu87G3ssTLkJcGIikFWe832M3q7OMpS/0
Signing CA: RSA SHA256:dGhZ6Zs5q9+6Ze3dt4zfbcmz+soOudwe56TfGvY+U
Key ID: "hello_world"
Serial: 0
Valid: from 2020-05-29T06:09:00 to 2021-05-28T06:10:37
Principals:
hello_world.netdef.org
Critical Options: (none)
Extensions: (none) |
Sign server's RSA key manually
| Code Block |
|---|
|
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D $PATH_TO_YKCS11
-s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
-I server_name \
-h \
-n server.netdef.org \
-V +52w \
/etc/ssh-ca/ssh_host_rsa_key.pub |
...
- -D
- is used to access the yubikey
- -s
- provides the public certificate to access the yubikey
- -I server_name
- The key identifier to include in the certificate.
- -h
- Generate a host certificate (instead of a user certificate)
- -n server.netdef.org
- The principal names to include in the certificate.
- For host certificates this is a list of all names that the system is known by.
- Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
- -V +52w
- The validity period.
- For host certificates, you’ll probably want them pretty long lived.
- This setting sets the validity period from now until 52 weeks hence.
- /etc/ssh-ca/ssh_host_rsa_key.pub
- The path to the host RSA public key to sign.
- Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.
...
Sign client's RSA key manually
| Code Block |
|---|
|
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D $PATH_TO_YKCS11
-s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
-I client_name \
-n root \
-V +24h \
/etc/ssh_ca/id_rsa.pub |
...
- -D
- is used to access the yubikey
- -s
- provides the public certificate to access the yubikey
- -I client_name
- The key identifier to include in the certificate.
- -n root
- The principal names to include in the certificate.
- For client certificates this is a list of all users that the system is allowed to log in.
- -V +24h
- The validity period.
- For client certificates, you’ll probably want them short lived.
- This setting sets the validity period from now until 24 hours.
- One an SSH session is authenticated the certificate can safely expire without impacting the established session.
- /etc/ssh_ca/id_rsa.pub
- The name of the host RSA public key to sign.
- Our signed host key (certificate) will be /etc/ssh_ca/ssh_host_rsa_key-cert.pub.
7 - Troubleshooting
Export public key
...
...
...
Reset PIV on Yubikey
| Code Block |
|---|
|
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -averify-pin -P471112
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -achange-puk -P471112 -N6756789
yubico-piv-tool -areset
yubico-piv-tool -aset-chuid
yubico-piv-tool -aset-ccc |
Viewing an SSH certificate
...
