Using SSH User Certificates with PIV keys¶
https://developers.yubico.com/PIV/Guides/ https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html
Yubikey secrets¶
Default PIN: 123456
Default PUK: 12345678
Default Managment Key: 010203040506070801020304050607080102030405060708
PIN: 12345678
Management Key: 6b06289f89f385a40f19a57a7c1a3c72f3ff6c3877c57cd6
This is a step-by-step on how to setup SSH user certificates using PIV for hardware-backed keys. This guide is primarily for an OS X or Linux system.
Prerequisites¶
- YubiKey with the PIV application loaded
- the yubico-piv-tool software
- the ykcs11 PKCS#11 module
PIV tools and PIV Manager can be downloaded from here
NOTE : This has been tested as working with OpenSSH version 7.2p2. It has also been tested as not working with OpenSSH version 6.9p1.
Steps¶
Generate an "ssh user CA" key and trust it for this account on this host¶
ssh-keygen -N '' -C user-ca -f ~/.ssh/ca
Trust the certicate authority in the bastion user's home directory¶
sed 's/^/cert-authority /' ~/.ssh/ca.pub > ~/.ssh/authorized_keys
Install yubico-piv-tool¶
$ brew install yubico-piv-tool
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (caskroom/cask, caskroom/versions, homebrew/core).
==> Updated Formulae
abcmidi crash fizmo gammaray libtiff presto todoman
ace deis flow gandi.cli libuv pumba trafficserver
allure eprover flowgrind gnome-builder libxml2 rtv tth
app-engine-java exact-image fossil gtksourceview3 lynis sbt urh
bacula-fd eye-d3 freeciv harfbuzz mpfr sqlcipher vala
ccm fabric freexl heroku mysql-sandbox sslyze valabind
certbot fatsort fs-uae hwloc node@6 sysbench webpack
cheat fb-client fuse-emulator immortal opendetex telegraf yarn
cmark-gfm fbida fuse-zip io paket termius
conan feh gabedit libchamplain postgrest terraform
consul-backinator ffe galen libspectrum pre-commit tippecanoe
==> Downloading https://homebrew.bintray.com/bottles/yubico-piv-tool-1.4.3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring yubico-piv-tool-1.4.3.sierra.bottle.tar.gz
🍺 /usr/local/Cellar/yubico-piv-tool/1.4.3: 18 files, 402.3KB
Note: ssh-agent doesn't like linked library files. Hence, from the link, create a regular file in /usr/local/lib directory.
$ cp /usr/local/lib/libykcs11.dylib /usr/local/lib/libykcs11_NOTALINK.dylib
Create a new Private key, Selfsigned Cert and import the cert to Yubikey¶
For NEO Key¶
$ yubico-piv-tool -a generate -s 9a -A RSA2048 --pin-policy=never --touch-policy=always -o jkailasam.pem
Successfully generated a new private key.
$ yubico-piv-tool -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
**Failed signing certificate.**
$ yubico-piv-tool -a verify -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
$ yubico-piv-tool -a import-certificate -s 9a -i jkailasam.cert
Successfully imported a new certificate.
For USB-4c and Nano¶
yubico-piv-tool -a generate -s 9a -A RSA2048 --pin-policy=never --touch-policy=always -o jkailasam.pem
Successfully generated a new private key.
yubico-piv-tool -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i jkailasam.pem -o jkailasam.cert
Successfully generated a new self signed certificate.
yubico-piv-tool -a import-certificate -s 9a -i jkailasam.cert
Successfully imported a new certificate.
Verify the keys is imported¶
$ yubico-piv-tool -a status
CHUID: 3019d4e739da739ced39ce739d836858210842108421384210c3f534102eccede9032e0f214a3a27388803dcb1350832303330303130313e00fe00
CCC: f015a000000116ff026185ba455a1713f0f6b8b4595bc1f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
Algorithm: RSA2048
Subject DN: CN=SSH key
Issuer DN: CN=SSH key
Fingerprint: be4b10565a6bd1ca7affa2df70787ccbb08c6cdcf6f032c433147c2a7ce19ca4
Not Before: Sep 7 22:24:14 2017 GMT
Not After: Sep 7 22:24:14 2018 GMT
PIN tries left: 3
In the local system, add the key to the ssh-agent¶
$ ssh-add -s /usr/local/lib/libykcs11_NOTALINK.dylib
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libykcs11_NOTALINK.dylib
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCY/yMCHZUugMqK7WyvRm9N7+O0zTSGowxQA9ltEqRk2Duf1bDLdXJntplxcrnl4aEYA2ahoEoPXqg66n4hMqH+QTaITgKdjIjJJ8r3yobq7Mjw2sG/R0Fc8gQNn79oXHJJtxYlwAuITN6cdJ5Quu9DkdsXNpBBGKWFAPVskzmz14LoBqeXiPaWVNhJ0lJVhXjqIUsFrzKptkljW9enqQzlDcpd1J8c4QW8xJN0nYqfUERw2psXmHCeULOwEnj4ZJROw3KTmsFyES0mTyXUscq0fgcfF1ZB2ziN1M8nl0MV9i1wTVpVCiBUTU1P0oPpEFq8eHFY+ndoWh88Vqu67o6R /usr/local/lib/libykcs11_NOTALINK.dylib
Create a local pub file from the ssh-add -L command¶
$ ssh-add -L > ~/.ssh/id_rsa.pub
Sign the pubkey using CA¶
$ ssh-keygen -s ~/.ssh/ca/ca_bastion -I identity -n "${LOGNAME}" ~/.ssh/id_rsa.pub
Enter passphrase:
Signed user key /Users/jkailasam/.ssh/id_rsa-cert.pub: id "identity" serial 0 for jkailasam valid forever
If ssh-agent need to be cleared and re-added¶
ssh-add -D
ssh-add -e /usr/local/lib/libykcs11_NOTALINK.dylib
ssh-add -s /usr/local/lib/libykcs11_NOTALINK.dylib