Contents
Passwords
One time passwords Mobile
Download the app 'authenticator' from the appstore or playstore.
- Insert your Yubikey in your phone.
- Right top, tap the + sign
- Add your OTP key
One time passwords Desktop
Download the app 'authenticator' from the website
- Insert your Yubikey in your computer.
- Right top, tap the + sign.
- Add your OTP key.
Use SSH
Change codes
To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands:
ykman piv change-pin ykman piv change-puk ykman piv change-management-key
The default codes for a new Yubikey are:
- PIN: 123456
- PUK: 12345678
- Management: 010203040506070801020304050607080102030405060708
Generate certificates
Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key.
- Generate a private key (EC will not work at the moment)
ykman piv generate-key -a RSA2048 9a pubkey.pem
- Generate a certificate
ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem
- Convert the certificate to a ssh key
ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt
Configuration
Debian
Add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Mac OS X
For MacOSX, there's more to do:
Make sure you run brew
- Install opensc:
brew install opensc
- Link the right library:
sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so
And add on top to your SSH config file ~/.ssh/config:
PKCS11Provider /usr/local/lib/opensc-pkcs11.so
And that's enough to make ssh possible.
SSH Agent
To be found out.
More information
https://wiki.archlinux.org/index.php/YubiKey A lot of information about linux and yubikey.