Using OpenSC
<https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
Install OpenSC and yubico-piv-tool¶
$ brew install opensc
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (caskroom/cask, caskroom/versions, homebrew/core).
==> Updated Formulae
angular-cli gloox nim tinc
gdb gnustep-make node-build vagrant-completion
==> Downloading https://homebrew.bintray.com/bottles/opensc-0.17.0.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring opensc-0.17.0.sierra.bottle.tar.gz
==> Caveats
Bash completion has been installed to:
/usr/local/etc/bash_completion.d
==> Summary
🍺 /usr/local/Cellar/opensc/0.17.0: 104 files, 5.4MB
$ brew install yubico-piv-tool
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (caskroom/cask, caskroom/versions, homebrew/core).
==> Updated Formulae
abcmidi crash fizmo gammaray libtiff presto todoman
ace deis flow gandi.cli libuv pumba trafficserver
allure eprover flowgrind gnome-builder libxml2 rtv tth
app-engine-java exact-image fossil gtksourceview3 lynis sbt urh
bacula-fd eye-d3 freeciv harfbuzz mpfr sqlcipher vala
ccm fabric freexl heroku mysql-sandbox sslyze valabind
certbot fatsort fs-uae hwloc node@6 sysbench webpack
cheat fb-client fuse-emulator immortal opendetex telegraf yarn
cmark-gfm fbida fuse-zip io paket termius
conan feh gabedit libchamplain postgrest terraform
consul-backinator ffe galen libspectrum pre-commit tippecanoe
==> Downloading https://homebrew.bintray.com/bottles/yubico-piv-tool-1.4.3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring yubico-piv-tool-1.4.3.sierra.bottle.tar.gz
🍺 /usr/local/Cellar/yubico-piv-tool/1.4.3: 18 files, 402.3KB
Create Private Key, Cert, and import the cert to Yubikey¶
For Yubikey 4c¶
yubico-piv-tool -a generate -s 9a -A RSA2048 --pin-policy=never --touch-policy=always -o jkailasam.pem
Successfully generated a new private key.
yubico-piv-tool -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
Successfully generated a new self signed certificate.
yubico-piv-tool -a import-certificate -s 9a -i jkailasam.cert
Successfully imported a new certificate.
For Yubikey Neo¶
yubico-piv-tool -a generate -s 9a -A RSA2048 --pin-policy=never --touch-policy=always -o jkailasam.pem
Successfully generated a new private key.
$ yubico-piv-tool -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
Failed signing certificate.
$ yubico-piv-tool -a verify -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
$ yubico-piv-tool -a import-certificate -s 9a -i jkailasam.cert
Successfully imported a new certificate.
Importing a pkcs12 key¶
$ yubico-piv-tool -s 9c -i jkailasamnetflix.com-Netflix-20161110-20181110.pfx -KPKCS12 -aset-chuid -a import-key -a import-cert
Enter Password:
Successfully set new CHUID.
Successfully imported a new private key.
Successfully imported a new certificate.
Verify if the cert is imported¶
$ yubico-piv-tool -a status
CHUID: 3019d4e739da739ced39ce739d836858210842108421384210c3f534102eccede9032e0f214a3a27388803dcb1350832303330303130313e00fe00
CCC: f015a000000116ff026185ba455a1713f0f6b8b4595bc1f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
Algorithm: RSA2048
Subject DN: CN=SSH key
Issuer DN: CN=SSH key
Fingerprint: be4b10565a6bd1ca7affa2df70787ccbb08c6cdcf6f032c433147c2a7ce19ca4
Not Before: Sep 7 22:24:14 2017 GMT
Not After: Sep 7 22:24:14 2018 GMT
PIN tries left: 3
Get the pubkey from opensc-pkcs11 moudle to copy to target system¶
$ ssh-keygen -D /usr/local/lib/opensc-pkcs11.so -e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCY/yMCHZUugMqK7WyvRm9N7+O0zTSGowxQA9ltEqRk2Duf1bDLdXJntplxcrnl4aEYA2ahoEoPXqg66n4hMqH+QTaITgKdjIjJJ8r3yobq7Mjw2sG/R0Fc8gQNn79oXHJJtxYlwAuITN6cdJ5Quu9DkdsXNpBBGKWFAPVskzmz14LoBqeXiPaWVNhJ0lJVhXjqIUsFrzKptkljW9enqQzlDcpd1J8c4QW8xJN0nYqfUERw2psXmHCeULOwEnj4ZJROw3KTmsFyES0mTyXUscq0fgcfF1ZB2ziN1M8nl0MV9i1wTVpVCiBUTU1P0oPpEFq8eHFY+ndoWh88Vqu67o6R
Add the pubkey to authorized_keys file of the Target system¶
Authenticate the target system using the new PKCS key¶
$ ssh -I ./opensc-pkcs11-NL.so aws.prod.netflix.net
Enter PIN for 'PIV Card Holder pin (PIV_II)':
Ubuntu 16.04.2 LTS(xenial): GNU/Linux 4.4.0-83-generic x86_64
- Base AMI: nflx-base-5.36.0-h67.088774d
- Package: bastion-main-3.166.0-h244.e96b1d2
- EC2: asg=bastion-prod-v010, zone=us-west-2b, vmtype=m4.2xlarge
Add the key ssh-agent, and SSH to the system¶
cp /usr/local/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11-NL.so
$ ssh-add -s /usr/local/lib/opensc-pkcs11-NL.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/opensc-pkcs11-NL.so
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCY/yMCHZUugMqK7WyvRm9N7+O0zTSGowxQA9ltEqRk2Duf1bDLdXJntplxcrnl4aEYA2ahoEoPXqg66n4hMqH+QTaITgKdjIjJJ8r3yobq7Mjw2sG/R0Fc8gQNn79oXHJJtxYlwAuITN6cdJ5Quu9DkdsXNpBBGKWFAPVskzmz14LoBqeXiPaWVNhJ0lJVhXjqIUsFrzKptkljW9enqQzlDcpd1J8c4QW8xJN0nYqfUERw2psXmHCeULOwEnj4ZJROw3KTmsFyES0mTyXUscq0fgcfF1ZB2ziN1M8nl0MV9i1wTVpVCiBUTU1P0oPpEFq8eHFY+ndoWh88Vqu67o6R /usr/local/lib/opensc-pkcs11-NL.so
$ ssh aws.prod.netflix.net
Ubuntu 16.04.2 LTS(xenial): GNU/Linux 4.4.0-83-generic x86_64
- Base AMI: nflx-base-5.36.0-h67.088774d
- Package: bastion-main-3.166.0-h244.e96b1d2
- EC2: asg=bastion-prod-v010, zone=us-west-2a, vmtype=m4.2xlarge