Yubikey-SSH: Difference between revisions
→Troubleshooting: how I solved my problems |
Tim Starling (talk | contribs) about the yubico PPA |
||
Line 1: | Line 1: | ||
Configuring the YubiKey NEO for SSH authentication in the prod cluster: |
Configuring the YubiKey NEO for SSH authentication in the prod cluster: |
||
= Installation = |
== Installation == |
||
On Debian / Ubuntu: |
On Debian / Ubuntu: |
||
apt-get install yubikey-personalization yubico-piv-tool opensc |
apt-get install yubikey-personalization yubico-piv-tool opensc |
||
The yubico-piv-tool package is in the universe repository in Ubuntu 15.10 and later. If you have an earlier version, you can get it from the PPA: |
|||
add-apt-repository ppa:yubico/stable |
|||
apt-get update |
|||
On MacOS: |
On MacOS: |
||
Line 11: | Line 16: | ||
brew install opensc ykpers yubico-piv-tool |
brew install opensc ykpers yubico-piv-tool |
||
= Enabling CCID smartcard mode = |
== Enabling CCID smartcard mode == |
||
The smartcard/CCID feature on the YubiKey NEO is disabled by default. You can change that with the following command: |
The smartcard/CCID feature on the YubiKey NEO is disabled by default. You can change that with the following command: |
||
Line 21: | Line 26: | ||
'''Remember to remove and re-inserte your YubiKey before proceeding''', otherwise you will get the error "failed to connect to reader". |
'''Remember to remove and re-inserte your YubiKey before proceeding''', otherwise you will get the error "failed to connect to reader". |
||
= Securing physical access to the YubiKey = |
== Securing physical access to the YubiKey == |
||
When accessing the NEO you need to enter a PIN to prevent access for someone who e.g. stole your YubiKey. If that PIN is entered incorrectly thrice, the YubiKey needs to be unlocked with a PUK. |
When accessing the NEO you need to enter a PIN to prevent access for someone who e.g. stole your YubiKey. If that PIN is entered incorrectly thrice, the YubiKey needs to be unlocked with a PUK. |
||
Line 47: | Line 52: | ||
* Finally don't forget to keep the content of $key, $pin and $puk in your password manager. |
* Finally don't forget to keep the content of $key, $pin and $puk in your password manager. |
||
= Key/certificate creation = |
== Key/certificate creation == |
||
First of all generate a new private key: (9a is a slot number, for others see the introduction of https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf ) |
First of all generate a new private key: (9a is a slot number, for others see the introduction of https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf ) |
||
Line 61: | Line 66: | ||
yubico-piv-tool -k $key -a import-certificate -s 9a -i cert.pem |
yubico-piv-tool -k $key -a import-certificate -s 9a -i cert.pem |
||
= Generate an SSH pubkey = |
== Generate an SSH pubkey == |
||
On Debian/Ubuntu and amd64: |
On Debian/Ubuntu and amd64: |
||
Line 71: | Line 76: | ||
ssh-keygen -D $OPENSC -e |
ssh-keygen -D $OPENSC -e |
||
= Accessing the key = |
== Accessing the key == |
||
The key is accessed via the PKCS11 interface (which OpenSSH supports): |
The key is accessed via the PKCS11 interface (which OpenSSH supports): |
||
Line 84: | Line 89: | ||
to enter the key to the agent. |
to enter the key to the agent. |
||
= Troubleshooting = |
== Troubleshooting == |
||
If you get the error message that "ssh-add -s" couldn't access the agent, try starting an additional ssh-agent on a terminal. It will use a random new socket and print it on the command line: |
If you get the error message that "ssh-add -s" couldn't access the agent, try starting an additional ssh-agent on a terminal. It will use a random new socket and print it on the command line: |
Revision as of 02:15, 25 November 2015
Configuring the YubiKey NEO for SSH authentication in the prod cluster:
Installation
On Debian / Ubuntu:
apt-get install yubikey-personalization yubico-piv-tool opensc
The yubico-piv-tool package is in the universe repository in Ubuntu 15.10 and later. If you have an earlier version, you can get it from the PPA:
add-apt-repository ppa:yubico/stable apt-get update
On MacOS:
brew install opensc ykpers yubico-piv-tool
Enabling CCID smartcard mode
The smartcard/CCID feature on the YubiKey NEO is disabled by default. You can change that with the following command:
ykpersonalize -m86
A message will be printed to the console, confirming the action.
Remember to remove and re-inserte your YubiKey before proceeding, otherwise you will get the error "failed to connect to reader".
Securing physical access to the YubiKey
When accessing the NEO you need to enter a PIN to prevent access for someone who e.g. stole your YubiKey. If that PIN is entered incorrectly thrice, the YubiKey needs to be unlocked with a PUK. If that PUK is also entered incorrectly three time your YubiKey is toast, so make sure to store these in your password manager.
In addition the NEO uses a management key: It secures access when updating the feature applets running on the YubiKey and protects you from someone backdooring your NEO.
The YubiKey uses default values for PIN, PUK and management key, so we need to change all of them:
- First the management key (24 chars hexadecimal):
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` yubico-piv-tool -a set-mgm-key -n $key
- Now the PIN (6 digits, 123456 is the shipped default PIN):
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'| cut -c1-6` yubico-piv-tool -a change-pin -P 123456 -N $pin
- Finally the PUK (8 digits, with the default 12345678)
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` yubico-piv-tool -a change-puk -P 12345678 -N $puk
- Finally don't forget to keep the content of $key, $pin and $puk in your password manager.
Key/certificate creation
First of all generate a new private key: (9a is a slot number, for others see the introduction of https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf )
yubico-piv-tool -k $key -s 9a -a generate -o public.pem
Generate a self-signed certificate:
yubico-piv-tool -a verify-pin -P $pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Import the certificate:
yubico-piv-tool -k $key -a import-certificate -s 9a -i cert.pem
Generate an SSH pubkey
On Debian/Ubuntu and amd64:
export OPENSC="/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so" ssh-keygen -D $OPENSC -e
On MacOS X / Brew:
export OPENSC="/usr/local/Cellar/opensc/0.15.0/lib/opensc-pkcs11.so" ssh-keygen -D $OPENSC -e
Accessing the key
The key is accessed via the PKCS11 interface (which OpenSSH supports):
ssh -I $OPENSC $HOST Enter PIN for 'PIV_II (PIV Card Holder pin)':
Of course you don't need to enter the PIN all the time, ssh-agent supports PKCS11 as well. Simply run
ssh-add -s $OPENSC
to enter the key to the agent.
Troubleshooting
If you get the error message that "ssh-add -s" couldn't access the agent, try starting an additional ssh-agent on a terminal. It will use a random new socket and print it on the command line:
ssh-agent export SSH_AUTH_SOCK=what was printed above ssh-add -S $OPENSC
If it works fine that way, try figuring out what ssh-add uses by default. Maybe gnome-keyring gets in the way.
I got the error:
Could not add card "/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so": agent refused operation
What worked for me was:
ssh-agent export SSH_AUTH_SOCK=what was printed above ssh-add -s $OPENSC
Also I got prompted like this for the pin:
Enter passphrase for PKCS#11: