|
Size: 789
Comment:
|
Size: 2671
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #acl All: | |
| Line 19: | Line 18: |
| == Use SSH == === Change codes === To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands: {{{ ykman piv change-pin ykman piv change-puk ykman piv change-management-key }}} The default codes for a new Yubikey are: * PIN: 123456 * PUK: 12345678 * Management: 010203040506070801020304050607080102030405060708 === Generate certificates === Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key. * Generate a private key (EC will not work at the moment) {{{ ykman piv generate-key -a RSA2048 9a pubkey.pem }}} * Generate a certificate {{{ ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem }}} * Convert the certificate to a ssh key {{{ ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt }}} === Configuration === ==== Debian ==== Add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so }}} ==== Archlinux ==== Add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/lib/opensc-pkcs11.so }}} ==== Mac OS X ==== For MacOSX, there's more to do: * Make sure you run [[https://brew.sh/|brew]] * Install opensc: {{{ brew install opensc }}} * Link the right library: {{{ sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so }}} * And add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/local/lib/opensc-pkcs11.so }}} And that's enough to make ssh possible. === SSH Agent === To be found out. |
|
| Line 21: | Line 83: |
| * [[https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf]] FosDem presentation ---- CategoryHardware |
Contents
Passwords
One time passwords Mobile
Download the app 'authenticator' from the appstore or playstore.
- Insert your Yubikey in your phone.
- Right top, tap the + sign
- Add your OTP key
One time passwords Desktop
Download the app 'authenticator' from the website
- Insert your Yubikey in your computer.
- Right top, tap the + sign.
- Add your OTP key.
Use SSH
Change codes
To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands:
ykman piv change-pin ykman piv change-puk ykman piv change-management-key
The default codes for a new Yubikey are:
- PIN: 123456
- PUK: 12345678
- Management: 010203040506070801020304050607080102030405060708
Generate certificates
Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key.
- Generate a private key (EC will not work at the moment)
ykman piv generate-key -a RSA2048 9a pubkey.pem
- Generate a certificate
ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem
- Convert the certificate to a ssh key
ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt
Configuration
Debian
Add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Archlinux
Add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/lib/opensc-pkcs11.so
Mac OS X
For MacOSX, there's more to do:
Make sure you run brew
- Install opensc:
brew install opensc
- Link the right library:
sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so
And add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/local/lib/opensc-pkcs11.so
And that's enough to make ssh possible.
SSH Agent
To be found out.
More information
https://wiki.archlinux.org/index.php/YubiKey A lot of information about linux and yubikey.
https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf FosDem presentation