Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To setup the yubikey the yubico-piv-tool is used. It must be installed from source to work correctly. For the installation the following packages are needed:

Code Block
languagebash
# apt-get install autoconf automake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man

Install the tool

Code Block
languagebash
# git clone https://github.com/Yubico/yubico-piv-tool.git

# cd yubico-piv-tool

# autoreconf --install
# ./configure  --disable-dependency-tracking
# make
# make install

Change default pins and management key of yubikey

To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.

Code Block
languagebash
# YUBIKEYNUM=0
# key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
# echo $key > yubikey$YUBIKEYNUM.key
# pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
# echo $pin > yubikey$YUBIKEYNUM.pin
# puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
# echo $puk > yubikey$YUBIKEYNUM.puk

# yubico-piv-tool -a set-mgm-key -n $key
# yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
# yubico-piv-tool -k $key -a change-puk -P 12345678 -N $puk

...

Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.

Code Block
languagebash
# openssl genrsa -out yubikey$YUBIKEYNUM-key.pem 2048
# openssl req -new -x509 -batch -key yubikey$YUBIKEYNUM-key.pem -out yubikey$YUBIKEYNUM-cert.pem

...

You import the key and certificate to the PIV applet as follows:

Code Block
languagebash
# yubico-piv-tool -k $key -a import-key -s 9c < yubikey$YUBIKEYNUM-key.pem
# yubico-piv-tool -k $key -a import-certificate -s 9c < yubikey$YUBIKEYNUM-cert.pem

...

Extract the public key for the CA:

Code Block
languagebash
# PATH_TO_CERTIFICATE="/etc/ssh-ca"
# PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

# mkdir -p $PATH_TO_CERTIFICATE
# ssh-keygen -D $PATH_TO_YKCS11 -e > $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub

Sign server's RSA key

Code Block
languagebash
# PATH_TO_CERTIFICATE="/etc/ssh-ca"
# PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

# ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I server_name \
            -h \
            -n server.netdef.org \
            -V +52w \
            /etc/ssh-ca/ssh_host_rsa_key.pub

...

Sign client's RSA key

Code Block
languagebash
# PATH_TO_CERTIFICATE="/etc/ssh-ca"
# PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

# ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I client_name \
            -n root \
            -V +24h \
            /etc/ssh_ca/id_rsa.pub

...

Viewing an SSH certificate

Code Block
root@ca1:~/signed_keys## ssh-keygen -L -f hello_world-cert.pub
jovin-debianhello_world-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com host certificate
        Public key: RSA-CERT SHA256:Ciqze7DghNb2VtOoxeslkJXGIikFWY8BQM3E7KMQS/0
        Signing CA: RSA SHA256:l/ccLllvZ9FD+Isv8tLx+2H5Hk6ctzlyoDTTfaY6M+U
        Key ID: "hello_world"
        Serial: 0
        Valid: from 2020-05-29T06:09:00 to 2021-05-28T06:10:37
        Principals:
                hello_world.netdef.org
        Critical Options: (none)
        Extensions: (none)

...