|
Size: 1634
Comment:
|
Size: 3756
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #acl All:read | |
| Line 19: | Line 18: |
| == Use SSH == === Change codes === |
= Use SSH = == Change codes == |
| Line 33: | Line 32: |
| === Generate certificates === Now making the Yubikey understand SSH. |
For more info about PIN, PUK, and Management keys, [[https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html|follow this link]] == Generate certificates == Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key. |
| Line 43: | Line 44: |
| * Convert certificate to a ssh key | * Convert the certificate to a ssh key |
| Line 48: | Line 49: |
| == Configuration == ==== Debian ==== Add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so }}} ==== Archlinux ==== Add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/lib/opensc-pkcs11.so }}} ==== Mac OS X ==== For MacOSX, there's more to do: * Make sure you run [[https://brew.sh/|brew]] * Install opensc: {{{ brew install opensc }}} * Link the right library: {{{ sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so }}} * And add on top to your SSH config file ''~/.ssh/config'': {{{ PKCS11Provider /usr/local/lib/opensc-pkcs11.so }}} And that's enough to make ssh possible. == SSH Agent == To be found out. = Disk Encryption = == LUKS == [[https://infosec-handbook.eu/blog/yubikey-luks/ | Source]] LUKS is the standard for Linux disk encryption, and can easily be installed while setting up a system using i.e. the Debian installer. During LUKS setup, set a 'normal' passphrase, this can be used as a backup for when you lose your yubikey. Furthermore, the following installation has to be executed on the running system, so you'll need the passphrase to unlock the disk before continuing. * ''The following method has been tested on Debian 4.19 with a yubikey NEO'' 1. Run `sudo fdisk -l | grep crypt` to see on which drive your LUKS container exists. If it returns something like `/dev/mapper/sda5_crypt`, the drive should be sda5. 1. Run `sudo cryptsetup luksDump /dev/[partition]` to check which key slots are in use. Usualy only slot 0 will be in use. 1. Install `yubikey-luks` by running `sudo apt-get install yubikey-luks` |
|
| Line 50: | Line 97: |
| * [[https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf]] FosDem presentation |
Contents
Passwords
One time passwords Mobile
Download the app 'authenticator' from the appstore or playstore.
- Insert your Yubikey in your phone.
- Right top, tap the + sign
- Add your OTP key
One time passwords Desktop
Download the app 'authenticator' from the website
- Insert your Yubikey in your computer.
- Right top, tap the + sign.
- Add your OTP key.
Use SSH
Change codes
To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands:
ykman piv change-pin ykman piv change-puk ykman piv change-management-key
The default codes for a new Yubikey are:
- PIN: 123456
- PUK: 12345678
- Management: 010203040506070801020304050607080102030405060708
For more info about PIN, PUK, and Management keys, follow this link
Generate certificates
Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key.
- Generate a private key (EC will not work at the moment)
ykman piv generate-key -a RSA2048 9a pubkey.pem
- Generate a certificate
ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem
- Convert the certificate to a ssh key
ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt
Configuration
Debian
Add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Archlinux
Add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/lib/opensc-pkcs11.so
Mac OS X
For MacOSX, there's more to do:
Make sure you run brew
- Install opensc:
brew install opensc
- Link the right library:
sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so
And add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/local/lib/opensc-pkcs11.so
And that's enough to make ssh possible.
SSH Agent
To be found out.
Disk Encryption
LUKS
LUKS is the standard for Linux disk encryption, and can easily be installed while setting up a system using i.e. the Debian installer. During LUKS setup, set a 'normal' passphrase, this can be used as a backup for when you lose your yubikey. Furthermore, the following installation has to be executed on the running system, so you'll need the passphrase to unlock the disk before continuing.
The following method has been tested on Debian 4.19 with a yubikey NEO
Run sudo fdisk -l | grep crypt to see on which drive your LUKS container exists. If it returns something like /dev/mapper/sda5_crypt, the drive should be sda5.
Run sudo cryptsetup luksDump /dev/[partition] to check which key slots are in use. Usualy only slot 0 will be in use.
Install yubikey-luks by running sudo apt-get install yubikey-luks
More information
https://wiki.archlinux.org/index.php/YubiKey A lot of information about linux and yubikey.
https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf FosDem presentation