Skip to content

Comparision of various SSH auth methods using Yubikey


Comare yubikeys
Yubikey Developers Website
Yubikey Forums

GPG Authentication


In each Workstation

  • Install gpg-tools package
  • Modify the gpg-agent.conf file
  • Modify the .bashrc file

Yubikey Managenet

  • Modify gpg configuraion file
  • Create a Master Key and Authentication Sub key
  • Copy the SubKey to the Yubikey
  • Create SSH public key for the subkey and transfer to target system

In the target system

  • Copy the public key to the target system

Cons

  • Authorized files need to managed for each user
  • Too many changes in the local system (.bashrc, pgp-agent.conf)
  • Need a tool to create Masterkey and subkeys
  • Hard to copy keys to multiple Yubikeys (involves export, delete and re-import the key before copying it to the card)
  • GNUPG caches the last yubikey used. If another Yubikey is connected, it errors out with the following error. Directory ~/gnupg/private-keys-v1.d/ need to be cleared to get rid of this problem.

Image

User Certs with PIV


  • Install yubico-piv-tool in the workstation
  • Modify libykcs11.dylib link
  • Create Private key and Certificate for the user
  • Copy the certificate to the Yubikey
  • In the local WS, add the key to ssh-agent (ssh-add)
  • Get the public key and from ssh-agent
  • Sign the public key using CA

GOOD

  • No need to mange authorized_keys file

Cons

  • ssh-agent for PIV-usercert is buggy. ssh fails with sign_and_send_pubkey: signing failed: agent refused operation very often. Have to run multiple commands to get rid of the above error
  • If the Yubikey is taken out and connected back, it fails with the above error

  • Need tools to

    • Create Private keys and certs (Lemur?)
    • Sign the keys (Our own SSH CA?)

OpenSC


  • Install OpenSC and yubico-piv-tool
  • Create Private key and Cert for the user
  • Copy the certificate to the Yubikey
  • In the local WS, add the key to ssh-agent (ssh-add)
  • Add the pubkey to the target server

Concerns

  • Create Private keys and certs (Lemur?)
  • Authorized files need to managed for each user
  • Since private keys are generated using Yubikeys, need to generate separate private keys for each yubikey. Importing the key generated on one yubikey is not working on other.