Blog IndexPosts by TagHome

Notes to myself about YubiKeys

Posted <2022-02-21 Mon 19:19> by Aaron S. Jackson.

There are three ways to use a YubiKey as an SSH key.

Interoperability

OpenPGP keys are accessed through an emulated CCID interface. If you are using GPG anyway, it makes sense to make an RSA 2048 key on your YubiKey. FIDO keys aren't quit there yet in terms of support - event CentOS 8 Stream doesn't include a version of OpenSSH newer than 8.2 yet.

An ECDSA PIV key can be accessed both via the PKCS11 or the OpenPGP API interface, which may make them one of the better choices.

Generating keys

  1. OpenPGP

    $ gpg --card-edit
    gpg/card> key-attr
    Changing card key attribute for: Signature key
    Please select what kind of key you want:
       (1) RSA
       (2) ECC
    Your selection? 1
    What keysize do you want? (2048) 4096
    The card will now be re-configured to generate a key of 4096 bits
    gpg/card> generate
    ...
    
  2. FIDO2

    $ ssh-keygen -t ed25519-sk
    ...
    
  3. PIV

    $ ykman piv keys generate -a ECCP384 --touch-policy never 9a public.pem
    $ ykman piv certificates generate -s "SSH Key" -d $(( 365 * 5 )) -a SHA512 9a public.pem
    

    You can set the touch-policy to always if you want but this will get annoying if yo are running things like Ansible playbooks across a number of hosts.

    Note: As of version 2.3.0 of yubico-piv-tool / libykcs11, PIV authentication via NFC should just work! Which is awesome because my key's contacts were wearing out 😅.

Using the keys

In order to allow me to easily switch between gpg-agent and ssh-agent, I have the following my my .bashrc file.

function g () {
    # this function overloads the SSH_AUTH_SOCK, setting it to use
    # gpg-agent rather than the default ssh-agent.
    SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) $@
}

# XFCE starts an ssh-agent automatically, with its address in /tmp,
# but for some reason this prevents PIV PKCS11 plugins from being
# loaded.
[ ! -S $HOME/.ssh/ssh-agent ] && eval $(ssh-agent -a $HOME/.ssh/ssh-agent)
export SSH_AUTH_SOCK=$HOME/.ssh/ssh-agent

function piv () {
    ssh-add -e /usr/lib64/libykcs11.so 2> /dev/null
    ssh-add -s /usr/lib64/libykcs11.so
}

gpgconf --launch gpg-agent

If you decided to use FIDO, you can pull those keys in with

$ ssh-add -K

My YubiKey has been setup with OpenPGP, FIDO and PIV keys. Example:

[aaron@carbon ~]$ g ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN7w0golW9xPJ63M7LutyxOYEPoNYPC7KOgkfiAKsSxgjFWCRpvhbWJyP8D3QiZaqf7fnyQsFEzlSx4a+IyER7wAV2/rsseJcsvhxbH/dE8o72sxFpGN6N1jqpVdvKyiqR20g0r+OOdO07eSnZ06tG51FJUbqVSMGOEh7T8g8wwMZ6g+FAxN4Csih8ov9OGyksHv1AH/Movx9d/EzHrekM/gu2i4/rwQSFydZXLXF99rJVbnTNFOs0FmrQC3Xv2BpyxG/AW8RpaIA4lbxIYEPgx0gk5OEehrO1AkSjzXK7HL2qApxn8CJv5oKMCV2iAZrO92ccjNdt8V7OIOg/tCgF cardno:16 134 538
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJNyvJg5DxGRdhRmvN2amr8bhcBlH0Km8VbbPxYXfoUp2YfxTlRsZZDdwru3SXcS6GKr5bjLIA7+v5qiTRJS8pwzdfNfO7K4jbTaM+IWb7NCU+H51DM8LFptLUylLLG3hw== cardno:16 134 538
[aaron@carbon ~]$
[aaron@carbon ~]$ ssh-add -L
The agent has no identities.
[aaron@carbon ~]$ ssh-add -K
Enter PIN for authenticator:
Resident identity added: ED25519-SK SHA256:zSOC7nGCvJ6weSUvzIl1HXcRW1qI5lpH+JD6pzTT/HM
[aaron@carbon ~]$ ssh-add -L
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIN/J6zLB7iDWi71aD9Gx9xlCUKCyk7Bl6qR+ZJKQCxHsAAAABHNzaDo=
[aaron@carbon ~]$
[aaron@carbon ~]$ piv
Enter passphrase for PKCS#11:
Card added: /usr/lib64/libykcs11.so
[aaron@carbon ~]$ ssh-add -L
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIN/J6zLB7iDWi71aD9Gx9xlCUKCyk7Bl6qR+ZJKQCxHsAAAABHNzaDo=
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJNyvJg5DxGRdhRmvN2amr8bhcBlH0Km8VbbPxYXfoUp2YfxTlRsZZDdwru3SXcS6GKr5bjLIA7+v5qiTRJS8pwzdfNfO7K4jbTaM+IWb7NCU+H51DM8LFptLUylLLG3hw== Public key for PIV Authentication
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTN0lYaeRosTxFv5M/uJJ9+ElX1IkSnYx7hBx9WJ2AerIh2jSWu4GTr1EXWeuZLeL4bXLJSH/KYA9mRxAKmazQTbcOaG57VVGkF51yxW07/FKt+7SoBZOyWn+TnuvLq+SJ2tBTVzGXYqh0fcpOadmZqyRAPx4a3FfByYs6aEp6boZKqE3/dDOdoOFmZVQC9QpI5ojM7Gfa7WYMeEbBoeFHt2SWwPA3uieLhZZfUYle3OkHyPomGirKpfBJur5yTng9/NSg4V3/bIrIVENedC/Ns0vv5p9vEFBAzHGjV7bgM0T9yn4rT15PsaHVStqjqZ5pKyw3hpUV+aSELY1qkYox Public key for PIV Attestation
[aaron@carbon ~]$

Notice that the ecdsa key is accessible via both PIV and GPG. This is my preferred key, but I tend to add the RSA key also. The attestation RSA key is not suitable for SSH authentication (as far as I know).

Wanting to leave a comment?

Comments and feedback are welcome by email (aaron@nospam-aaronsplace.co.uk).

Related posts:

Tags: computing

Blog IndexPosts by TagHome

Copyright 2007-2022 Aaron S. Jackson (compiled: Fri 10 Jun 23:03:07 BST 2022)