Differences between revisions 7 and 11 (spanning 4 versions)
Revision 7 as of 2020-01-06 16:18:22
Size: 2356
Editor: Sciuro
Comment:
Revision 11 as of 2020-12-30 21:43:27
Size: 2824
Editor: Burathar
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#acl All:read
Line 33: Line 32:
For more info about PIN, PUK, and Management keys, [[https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html|follow this link]]
Line 53: Line 54:
}}}

==== Archlinux ====
Add on top to your SSH config file ''~/.ssh/config'':
{{{
PKCS11Provider /usr/lib/opensc-pkcs11.so
Line 78: Line 85:
 * [[https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf]] FosDem presentation

Contents

  1. Passwords
    1. One time passwords Mobile
    2. One time passwords Desktop
    3. Use SSH
      1. Change codes
      2. Generate certificates
      3. Configuration
        1. Debian
        2. Archlinux
        3. Mac OS X
      4. SSH Agent
  2. More information

Passwords

One time passwords Mobile

  • Download the app 'authenticator' from the appstore or playstore.

  • Insert your Yubikey in your phone.
  • Right top, tap the + sign
  • Add your OTP key

One time passwords Desktop

  • Download the app 'authenticator' from the website

  • Insert your Yubikey in your computer.
  • Right top, tap the + sign.
  • Add your OTP key.

Use SSH

Change codes

To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands: 

ykman piv change-pin
ykman piv change-puk
ykman piv change-management-key

The default codes for a new Yubikey are:

  • PIN: 123456
  • PUK: 12345678
  • Management: 010203040506070801020304050607080102030405060708

For more info about PIN, PUK, and Management keys, follow this link

Generate certificates

Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key.

  • Generate a private key (EC will not work at the moment) 

ykman piv generate-key -a RSA2048 9a pubkey.pem
  • Generate a certificate 

ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem
  • Convert the certificate to a ssh key 

ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt

Configuration

Debian

Add on top to your SSH config file ~/.ssh/config: 

PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

Archlinux

Add on top to your SSH config file ~/.ssh/config: 

PKCS11Provider /usr/lib/opensc-pkcs11.so

Mac OS X

For MacOSX, there's more to do:

  • Make sure you run brew

  • Install opensc: 

brew install opensc
  • Link the right library: 

sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so

  • And add on top to your SSH config file ~/.ssh/config: 

PKCS11Provider /usr/local/lib/opensc-pkcs11.so

And that's enough to make ssh possible.

SSH Agent

To be found out.

More information

CategoryHardware

Howto/Yubikey (last edited 2022-04-17 20:23:30 by Sciuro)