Files
yubikey.rs/doc/SSH_with_PIV_and_PKCS11.adoc
T
2015-11-06 11:42:36 +02:00

71 lines
2.2 KiB
Plaintext

Using PIV for SSH through PKCS11
--------------------------------
This is a step-by-step for how to get a Neo with PIV to work for
public-key authentication with OpenSSH through PKCS11.
Primarily on a OS X or Linux system.
Prerequisites
-------------
* a YubiKey Neo with the PIV applet loaded
* the yubico-piv-tool software
* the OpenSC software
* OpenSSH
** on OS X for ssh-agent to work a newer OpenSSH than is delivered with the system
[NOTE]
The following example assume that you have not yet changed the management key.
Steps
-----
1. Generate a key in slot 9a (any slot should suffice):
$ yubico-piv-tool -s 9a -a generate -o public.pem
2. Create a selfsigned certificate for that key.
The only use for the X.509 certificate is to make PIV/PKCS#11 lib happy.
They would want to be able to extract the public-key from the smartcard,
and do that through the X.509 certificate.
$ yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem
3. Load the certificate:
$ yubico-piv-tool -a import-certificate -s 9a -i cert.pem
4. Find out where OpenSC has installed the pkcs11 module.
* For OS X with binary installation this is typically in `/Library/OpenSC/lib/`
* For a Debian based system this is typically in `/usr/lib/x86_64-linux-gnu/`
+
After this we'll call this location `$OPENSC_LIBS`
5. Export the public key in correct format for ssh and once you got it,
add it to authorized_keys on the target system.
$ ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
+
[NOTE]
The command will export all keys stored on the YubiKey Neo.
Hopefully it will keep the slot order so it should be not hard to guess which
is the public key associated with your targeted private key.
6. Authenticate to the target system using the new key:
$ ssh -I $OPENSC_LIBS/opensc-pkcs11.so user@remote.example.com
7. This can also be setup to work with ssh-agent: (Optional)
$ ssh-add -s $OPENSC_LIBS/opensc-pkcs11.so
+
NOTE: On OS X this typically requires installation of a third-party OpenSSH from Homebrew or the like and using that ssh-agent.
+
To See that the ssh-agent correctly finds that key and getting the public key in correct format:
$ ssh-add -L