Date: Fri, 29 Mar 2024 11:07:58 +0000 (UTC) Message-ID: <186731761.5.1711710478889@wiki> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4_1260890139.1711710478889" ------=_Part_4_1260890139.1711710478889 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
To setup the yubikey the yubico-piv-tool
is used. It must b=
e installed from source to work correctly. For the installation the followi=
ng packages are needed:
apt-get= install git cmake build-essential libtool libssl-dev pkg-config check libp= csclite-dev gengetopt help2man
git clo= ne https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool mkdir build; cd build cmake .. make sudo make install
To install the Yubikey manager check https://de= velopers.yubico.com/yubikey-manager/.
This needs to be done on a offline machine!
Activate the USB interface CCID on the Yubikey. Activate the mode using:=
ykman m= ode CCID
To prepare the PIV applet in the YubiKey the management key, the pin and= the punk needs to be set.
yubico-= piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678
Then generate a RSA private key for the SSH Host CA, and generate a dumm= y X.509 certificate for that key. The only use for the X.509 certificate is= to make PIV/PKCS#11 happy. They want to be able to extract the public-key = from the smart-card, and do that through the X.509 certificate.
YUBIKEY= NUM=3D0 PATH_TO_CERTIFICATE=3D"/etc/ssh-ca" mkdir -p $PATH_TO_CERTIFICATE # generate key directly on yubikey and self-sign the certificate yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-day= s 10000 -s 9c -S "/CN=3Dyubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o= yubikey$YUBIKEYNUM-cert.pem # import self-signed certificate yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM= -cert.pem # convert public key to RSA ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub # move public key to correct place and remove leftovers mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE=20 rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem
To sign client's public keys there is the script
to simplify the procedure.=
'
gen=
erate_client_certificate.sh'
The scripts does have the following options:
'-g'
is nee=
ded as the certificate holder's name.The output of '
generate_client_certificate.sh
'<=
/code>
is a .tar archive that contains the certificate, the public k=
ey that is used to authenticate servers as well as an instruction to instal=
l the certificate on the client's machine. It is stored in the home directo=
ry '
$HOME/signed_keys'
.
PATH_TO= _YKCS11=3D"/usr/local/lib/libykcs11.so" ssh-keygen -D PATH_TO_YKCS11 -e
yubico-= piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -areset yubico-piv-tool -aset-chuid yubico-piv-tool -aset-ccc
ssh-key= gen -L -f hello_world-cert.pub hello_world-cert.pub: Type: ssh-rsa-cert-v01@openssh.com host certificate Public key: RSA-CERT SHA256:diEzE7FgTzHHu87G3ssTLkJcGIikFWe832M3q7O= MpS/0 Signing CA: RSA SHA256:dGhZ6Zs5q9+6Ze3dt4zfbcmz+soOudwe56TfGvY+U Key ID: "hello_world" Serial: 0 Valid: from 2020-05-29T06:09:00 to 2021-05-28T06:10:37 Principals: hello_world.netdef.org Critical Options: (none) Extensions: (none)
YUBIKEY= NUM=3D0 PATH_TO_CERTIFICATE=3D"/etc/ssh-ca" PATH_TO_YKCS11=3D"/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I server_name \ -h \ -n server.netdef.org \ -V +52w \ /etc/ssh-ca/ssh_host_rsa_key.pub
Options explanation:
YUBIKEY= NUM=3D0 PATH_TO_CERTIFICATE=3D"/etc/ssh-ca" PATH_TO_YKCS11=3D"/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I client_name \ -n root \ -V +24h \ /etc/ssh_ca/id_rsa.pub
Options explanation: