On Mon, Aug 13, 2018 at 1:09 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > If someone can recommend hardware and some instructions on how to > set it up that will only improve the changes of this happening sooner. > In order to test with Yubikey, you need two pieces of software: - yubico-piv-tool (https://developers.yubico.com/yubico-piv-tool/) needed to generate the keys and certificates (*) on the token. - OpenSC (https://github.com/OpenSC/OpenSC) which is a PKCS#11 middleware that supports many smart cards or tokens. Here are the instructions for ECC P-256: $ yubico-piv-tool -s 9a -a generate -A ECCP256 -o eccp256.pub Successfully generated a new private key. $ yubico-piv-tool -s 9a -a verify -P 123456 -a selfsign -S '/CN=ECC-P256/' -i eccp256.pub -o eccp256.crt Successfully verified PIN. Successfully generated a new self signed certificate. $ yubico-piv-tool -s 9a -a import-certificate -i eccp256.crt Successfully imported a new certificate. I am include the instructions for RSA (2048 bits) for completeness: $ yubico-piv-tool -s 9d -a generate -A RSA2048 -o rsa2048.pub Successfully generated a new private key. $ yubico-piv-tool -s 9d -a verify -P 123456 -a selfsign -S '/CN=RSA-2048/' -i rsa2048.pub -o rsa2048.crt Successfully verified PIN. Successfully generated a new self signed certificate. $ yubico-piv-tool -s 9d -a import-certificate -i rsa2048.crt Successfully imported a new certificate. I would advise against using slot 9c and 9e for SSH authentication, the first requires re-authentication before each operation and the second does not need PIN entry (**). The following should work for other types of cards / tokens supported by OpenSC. $ export PKCS11=/absolute/path/to/file/opensc-pkcs11.so # I really want to point out that /absolute/path/to/file/opensc-pkcs11.so should be an absolute path to a file, because openssh will dereference symbolic links and build the absolute path. $ eval $(./ssh-agent -P $PKCS11) Agent pid xxxx $ ./ssh-add -s $PKCS11 Enter passphrase for PKCS#11: Card added: /absolute/path/to/file/opensc-pkcs11.so $ ./ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPaNzxqeb9cL3dUve6272MXCni6quduVSW3dLztt1yh9GLh251r6GjMSddYYHU4Pqa3oYcZ/vcl9DnRuaUwsjGSi0TcGA41pq7qTzZc/Ut6AvuZMCM0LwB5b/cn+XAycq8OlkFZyhX2C8SsJqqq+q0IpdWkt/FQYt75IPcMyFeww07a/JIoO2T0p8K/cOE+G3iLNPCrchj2KkbvEKpA3BhtKcDNyrymrRq+VKc9v19lIaVQQk9pRfgL4iVo0SoCqRqANuwWaB5K8KD4Opq/v09l35Wt2yJJ7AT+mM4iDSVWhI3x8u9C0YVNVLIdEGdxlOHGyOEWZyI4ddC2hQIK7n7 /absolute/path/to/file/opensc-pkcs11.so ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEf/KakrNDTqUwd6N+c59a2pJyduDfs1rJ766PEZEa++A/8taEGJ+5i86A+YY0iZ9GiMVXA1AchpvZHFpHy8zMc= /absolute/path/to/file/opensc-pkcs11.so $ ./ssh-add -l 2048 SHA256:RpeSZsimroIkfUg938vkKY6KnCetYf3d+jXo57Qa3qU /absolute/path/to/file/opensc-pkcs11.so (RSA) 256 SHA256:RNOoWtiNAs84nCntuL3mZDJeZJF0/W7yYeMIiJnh0lo /absolute/path/to/file/opensc-pkcs11.so (ECDSA) $ ssh -v mytestbox [...] debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:RpeSZsimroIkfUg938vkKY6KnCetYf3d+jXo57Qa3qU /absolute/path/to/file/opensc-pkcs11.so debug1: Authentications that can continue: publickey,password debug1: Offering public key: ECDSA SHA256:RNOoWtiNAs84nCntuL3mZDJeZJF0/W7yYeMIiJnh0lo /absolute/path/to/file/opensc-pkcs11.so debug1: Server accepts key: pkalg ecdsa-sha2-nistp256 blen 104 debug1: Authentication succeeded (publickey). [...] Sincerely, -- Mathias Brossard (*) The fact we need to generate a certificate is an artefact of the PIV model which doesn't provide a method to retrieve a public key except at generation. ssh-pkcs11-helper expects the PKCS#11 middleware to either provide the public keys or the certificates to identify the keys present, and OpenSC only provides them if certificates are present. (**) These slots identifiers are specific to cards that follow the PIV standard _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev