To sign client's public keys there is the script
to simplify the procedure.'
generate_client_certificate.sh'
The scripts does have the following options:
'-g'
is needed as the certificate holder's name.The output of '
generate_client_certificate.sh
is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '
'
$HOME/signed_keys'
.
To sign host's public keys there is the script
to simplify the procedure.'
generate_host_certificate.sh'
The scripts does have the following options:
The output of
is the certificate '
generate_host_certificate.sh'
'
HOST_ID-cert.pub'
that needs to be copied to the host. It is stored in the home directory '
$HOME/
.signed_keys
'
This needs to be done on a offline machine! |
To setup the yubikey the yubico-piv-tool
is used. It must be installed from source to work correctly. For the installation the following packages are needed:
apt-get install autoconf automake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man |
git clone https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool mkdir build; cd build cmake .. make sudo make install |
To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.
yubico-piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678 |
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" # generate key directly on yubikey and self-sign the certificate yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem # import self-signed certificate yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem # convert public key to RSA ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub # move public key to correct place and remove leftovers mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem |
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I server_name \ -h \ -n server.netdef.org \ -V +52w \ /etc/ssh-ca/ssh_host_rsa_key.pub |
Options explanation:
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I client_name \ -n root \ -V +24h \ /etc/ssh_ca/id_rsa.pub |
Options explanation:
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D PATH_TO_YKCS11 -e |
yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -averify-pin -P471112 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -achange-puk -P471112 -N6756789 yubico-piv-tool -areset yubico-piv-tool -aset-chuid yubico-piv-tool -aset-ccc |
ssh-keygen -L -f hello_world-cert.pub hello_world-cert.pub: Type: ssh-rsa-cert-v01@openssh.com host certificate Public key: RSA-CERT SHA256:diEzE7FgTzHHu87G3ssTLkJcGIikFWe832M3q7OMpS/0 Signing CA: RSA SHA256:dGhZ6Zs5q9+6Ze3dt4zfbcmz+soOudwe56TfGvY+U Key ID: "hello_world" Serial: 0 Valid: from 2020-05-29T06:09:00 to 2021-05-28T06:10:37 Principals: hello_world.netdef.org Critical Options: (none) Extensions: (none) |