Comparision of various SSH auth methods using Yubikey¶
Comare yubikeys
Yubikey Developers Website
Yubikey Forums
GPG Authentication¶
In each Workstation¶
- Install gpg-tools package
- Modify the gpg-agent.conf file
- Modify the .bashrc file
Yubikey Managenet¶
- Modify gpg configuraion file
- Create a Master Key and Authentication Sub key
- Copy the SubKey to the Yubikey
- Create SSH public key for the subkey and transfer to target system
In the target system¶
- Copy the public key to the target system
Cons¶
- Authorized files need to managed for each user
- Too many changes in the local system (.bashrc, pgp-agent.conf)
- Need a tool to create Masterkey and subkeys
- Hard to copy keys to multiple Yubikeys (involves export, delete and re-import the key before copying it to the card)
- GNUPG caches the last yubikey used. If another Yubikey is connected, it errors out with the following error. Directory ~/gnupg/private-keys-v1.d/ need to be cleared to get rid of this problem.
User Certs with PIV¶
- Install yubico-piv-tool in the workstation
- Modify libykcs11.dylib link
- Create Private key and Certificate for the user
- Copy the certificate to the Yubikey
- In the local WS, add the key to ssh-agent (ssh-add)
- Get the public key and from ssh-agent
- Sign the public key using CA
GOOD¶
- No need to mange authorized_keys file
Cons¶
- ssh-agent for PIV-usercert is buggy. ssh fails with
sign_and_send_pubkey: signing failed: agent refused operation
very often. Have to run multiple commands to get rid of the above error -
If the Yubikey is taken out and connected back, it fails with the above error
-
Need tools to
- Create Private keys and certs (Lemur?)
- Sign the keys (Our own SSH CA?)
OpenSC¶
- Install OpenSC and yubico-piv-tool
- Create Private key and Cert for the user
- Copy the certificate to the Yubikey
- In the local WS, add the key to ssh-agent (ssh-add)
- Add the pubkey to the target server
Concerns¶
- Create Private keys and certs (Lemur?)
- Authorized files need to managed for each user
- Since private keys are generated using Yubikeys, need to generate separate private keys for each yubikey. Importing the key generated on one yubikey is not working on other.