...
- -D
- is used to access the yubikey
- -s
- provides the public certificate to access the yubikey
- -I client_name
- The key identifier to include in the certificate.
- -n root
- The principal names to include in the certificate.
- For client certificates this is a list of all users that the system is allowed to log in.
- -V +24h
- The validity period.
- For client certificates, you’ll probably want them short lived.
- This setting sets the validity period from now until 24 hours.
- One an SSH session is authenticated the certificate can safely expire without impacting the established session.
- /etc/ssh_ca/id_rsa.pub
- The name of the host RSA public key to sign.
- Our signed host key (certificate) will be /etc/ssh_ca/ssh_host_rsa_key-cert.pub.
Troubleshooting
Export public key
| Code Block | ||
|---|---|---|
| ||
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D PATH_TO_YKCS11 -e |
Reset PIV on Yubikey
| Code Block | ||
|---|---|---|
| ||
yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -areset yubico-piv-tool -aset-chuid yubico-piv-tool -aset-ccc |
...