Yubikey-SSH: Difference between revisions

From Wikitech
Content deleted Content added
No edit summary
Line 137: Line 137:
</pre>
</pre>


Here's a chunk of sample bash code to use with the above udev hack and ssh-agent:
Here's the shell script that works with the udev hack:

<pre>
#!/bin/bash

if /usr/bin/lsusb | /usr/bin/grep '1050:011[16]' > /dev/null; then
/bin/date +%s > /tmp/yubi_inserted
else
/usr/bin/rm /tmp/yubi_inserted
fi
</pre>

Finally, here's the chunk of sample bash code to use with the above udev hack and ssh-agent:


<pre>
<pre>

Revision as of 00:46, 26 November 2015

Configuring the YubiKey NEO for SSH authentication in the prod cluster:

Installation

On Debian / Ubuntu:

apt-get install yubikey-personalization yubico-piv-tool opensc

The yubico-piv-tool package is in the universe repository in Ubuntu 15.10 and later. If you have an earlier version, you can get it from the PPA:

add-apt-repository ppa:yubico/stable
apt-get update

On MacOS:

brew install opensc ykpers yubico-piv-tool

On OpenSuSE:

 zypper ar -r http://download.opensuse.org/repositories/security/openSUSE_Tumbleweed/ tumbleweed-security
 zypper in yubikey-piv-manager yubikey-neo-manager yubico-piv-tool libyubikey-tools libyubikey0 opensc

Same for 13.2 and tumbleweed, but remember to configure the correct repo for your release.

Enabling CCID smartcard mode

The smartcard/CCID feature on the YubiKey NEO is disabled by default. You can change that with the following command:

ykpersonalize -m82

A message will be printed to the console, confirming the action. This enables OTP (keyboard) and CCID. If you also want to enable U2F, you can use -m86, however this causes the device to not be recognised by the version of pcscd in Ubuntu 14.04.

Remember to remove and re-insert your YubiKey before proceeding, otherwise you will get the error "failed to connect to reader".

Securing physical access to the YubiKey

When accessing the NEO you need to enter a PIN to prevent access for someone who e.g. stole your YubiKey. If that PIN is entered incorrectly thrice, the YubiKey needs to be unlocked with a PUK. If that PUK is also entered incorrectly three time your YubiKey is toast, so make sure to store these in your password manager.

In addition the NEO uses a management key: It secures access when updating the feature applets running on the YubiKey and protects you from someone backdooring your NEO.

The YubiKey uses default values for PIN, PUK and management key, so we need to change all of them:

  • First the management key (24 chars hexadecimal):
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
yubico-piv-tool -a set-mgm-key -n $key
  • Now the PIN (6 digits, 123456 is the shipped default PIN):
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'| cut -c1-6`
yubico-piv-tool -a change-pin -P 123456 -N $pin
  • Finally the PUK (8 digits, with the default 12345678)
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
yubico-piv-tool -a change-puk -P 12345678 -N $puk
  • Finally don't forget to keep the content of $key, $pin and $puk in your password manager.

Key/certificate creation

First of all generate a new private key: (9a is a slot number, for others see the introduction of https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf )

 yubico-piv-tool -k $key -s 9a -a generate -o public.pem

Generate a self-signed certificate:

 yubico-piv-tool -a verify-pin -P $pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem

Import the certificate:

 yubico-piv-tool -k $key -a import-certificate -s 9a -i cert.pem

Note: with yubico-piv-tool v1.1.1 on OpenSuSE I had to add -k using yubico-piv-tool once the management key was changed, otherwise it would not prompt for the management key and simply fail on an authentication error.

Generate an SSH pubkey

On Debian/Ubuntu:

export OPENSC=$(dpkg -L opensc | grep opensc-pkcs11.so\$ )
ssh-keygen -D $OPENSC -e

On MacOS X / Brew:

export OPENSC="/usr/local/Cellar/opensc/0.15.0/lib/opensc-pkcs11.so"
ssh-keygen -D $OPENSC -e

On OpenSuSE:

export OPENSC="/usr/lib64/opensc-pkcs11.so"
ssh-keygen -D $OPENSC -e

Accessing the key

The key is accessed via the PKCS11 interface (which OpenSSH supports):

ssh -I $OPENSC $HOST
Enter PIN for 'PIV_II (PIV Card Holder pin)':

This can be configured so that you don't have to type -I every time:

echo "
Host *.wmnet *.wikimedia.org
PKCS11Provider $OPENSC" >> ~/.ssh/config

You also don't need to enter the PIN all the time, since ssh-agent supports PKCS11 as well. Run

ssh-add -s $OPENSC

to enter the key to the agent.

Unfortunately, gnome-keyring, which is the default SSH_AUTH_SOCK implementation on many Linux desktops, does not support this.[1] Neither does gpg-agent.[2] You may see an error like:

SSH_AGENT_FAILURE
Could not add card: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

So on such systems, you either need to run a separate SSH agent:

eval `ssh-agent -s`
ssh-add -s $OPENSC

Or hack the session startup so that the real OpenSSH ssh-agent is used.

Note that you can identify the current SSH agent with:

sudo fuser -v $SSH_AUTH_SOCK

If you remove the YubiKey from the USB port and then plug it back in, or if you press the button for OTP/U2F the card needs to be re-added to the agent:

ssh-add -e $OPENSC
ssh-add -s $OPENSC

Here's a udev hack to drop a file in /tmp that you can poll to see if the key has been reinserted.

# /etc/udev/rules.d/57-yubikey-neo-status.rules
# remember to run: udevadm control --reload-rules
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0111|0116", RUN+="/usr/local/bin/yubi_tracker"
ACTION=="remove", SUBSYSTEM=="usb", RUN+="/usr/local/bin/yubi_tracker"

Here's the shell script that works with the udev hack:

#!/bin/bash

if /usr/bin/lsusb | /usr/bin/grep '1050:011[16]' > /dev/null; then
    /bin/date +%s > /tmp/yubi_inserted
else
    /usr/bin/rm /tmp/yubi_inserted
fi

Finally, here's the chunk of sample bash code to use with the above udev hack and ssh-agent:

# load identity from yubkey if yubikey is present but identity isn't loaded
if [ -f /tmp/yubi_inserted ]; then
    if ! /usr/bin/ssh-add -l | /usr/bin/grep opensc-pkcs11 > /dev/null; then
        if /usr/bin/ssh-add -c -s $opensc_lib; then
            # mark the time of last unlock
            /usr/bin/cp /tmp/yubi_inserted /tmp/yubi_unlocked
        fi
    fi
else
    # yubikey is not unlocked, so remove timestamp
    /usr/bin/rm -f /tmp/yubi_unlocked
fi

Suggested .bashrc

export OPENSC=$(dpkg -L opensc | grep opensc-pkcs11.so\$ )
function yubiadd() {
	ssh-add -s $OPENSC
}
function yubidel() {
	ssh-add -e $OPENSC
}	
function yubireset() {
	yubidel
	yubiadd
}

Notes

  1. Bug 535373. There is some confusion on this bug report about what "PKCS#11 support" is. Gnome-keyring is a PKCS#11 provider, but not a PKCS#11 consumer. So it can pretend to be a smart card, but it can't read a smart card. You can see in the relevant source file that the ADD_SMARTCARD_KEY operation is unimplemented.
  2. Note the lack of ADD_SMARTCARD_KEY in the list of supported commands around line 261 of agent/command-ssh.c in the current git master (e9c16fee2576c772de9d4fb5d53fee28e4b84202).