altinea
/
install-scripts
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
98 Commits
3 Branches
0 Tags
938 KiB
Tree: 56102cbea9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '56102cbea9'
${ noResults }
install-scripts/ssh/yubibug.md

379 lines
14 KiB
Raw Normal View History

Initial commit
4 years ago
New try to mark in bold user inputs
4 years ago
Augmented visibility on user inputs
4 years ago
New try to mark in bold user inputs
4 years ago
Initial commit
4 years ago
Augmented visibility on user inputs
4 years ago
Ident and anonymize fixes
4 years ago
Initial commit
4 years ago
Ident and anonymize fixes
4 years ago
Initial commit
4 years ago
Ident and anonymize fixes
4 years ago
Initial commit
4 years ago
Ident fixes
4 years ago
Initial commit
4 years ago
Ident fixes
4 years ago
Initial commit
4 years ago
Augmented visibility on user inputs
4 years ago
Initial commit
4 years ago
Ident fixes
4 years ago
Initial commit
4 years ago
Ident fixes
4 years ago
Initial commit
4 years ago
Ident and anonymize fixes
4 years ago
Initial commit
4 years ago
Ident and anonymize fixes
4 years ago
Initial commit
4 years ago
Ident fixes
4 years ago
  2. ## What's wrong with ED25519 and Yubikey 5 ?
  4. #### TL;DR :
  5. In the last weeks, I tried to setup ed25519 gnupg keys for use with SSH on my new Yubikey 5C NFC. It works like a charm but when used with an ED25519 SSH certificate, the authentication failed with an error like :
  7. sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
  9. Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is easier to setup but not recommended in production as the master key can't be reused to generate other keys.
  10. (see here [https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP))
  12. Let's make things clear :
  13. <pre>
  14. $ <b>rm -R .gnupg</b>
  15. $ <b>rm -R .ssh</b>
  16. $ <b>ykman openpgp reset</b>
  17. WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: <b>y</b>
  18. Resetting OpenPGP data, don't remove your YubiKey...
  19. Success! All data has been cleared and default PINs are set.
  20. PIN: 123456
  21. Reset code: NOT SET
  22. Admin PIN: 12345678
  23. </pre>
  24. Good, let's start with key generation :
  25. <pre>
  26. $ gpg --card-edit
  27. gpg: directory '/home/user/.gnupg' created
  28. gpg: keybox '/home/user/.gnupg/pubring.kbx' created
  30. Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
  31. Application ID ...: D2760001240103040006152800150000
  32. Application type .: OpenPGP
  33. Version ..........: 3.4
  34. Manufacturer .....: Yubico
  35. Serial number ....: 15280015
  36. Name of cardholder: [not set]
  37. Language prefs ...: [not set]
  38. Salutation .......:
  39. URL of public key : [not set]
  40. Login data .......: [not set]
  41. Signature PIN ....: not forced
  42. Key attributes ...: rsa2048 rsa2048 rsa2048
  43. Max. PIN lengths .: 127 127 127
  44. PIN retry counter : 3 0 3
  45. Signature counter : 0
  46. KDF setting ......: off
  47. Signature key ....: [none]
  48. Encryption key....: [none]
  49. Authentication key: [none]
  50. General key info..: [none]
  51. gpg/card> admin
  52. Admin commands are allowed
  53. gpg/card> admin
  54. Admin commands are allowed
  56. gpg/card> key-attr
  57. Changing card key attribute for: Signature key
  58. Please select what kind of key you want:
  59. (1) RSA
  60. (2) ECC
  61. Your selection? 2
  62. Please select which elliptic curve you want:
  63. (1) Curve 25519
  64. (4) NIST P-384
  65. Your selection? 1
  66. The card will now be re-configured to generate a key of type: ed25519
  67. Note: There is no guarantee that the card supports the requested size.
  68. If the key generation does not succeed, please check the
  69. documentation of your card to see what sizes are allowed.
  70. Changing card key attribute for: Encryption key
  71. Please select what kind of key you want:
  72. (1) RSA
  73. (2) ECC
  74. Your selection? 2
  75. Please select which elliptic curve you want:
  76. (1) Curve 25519
  77. (4) NIST P-384
  78. Your selection? 1
  79. The card will now be re-configured to generate a key of type: cv25519
  80. Changing card key attribute for: Authentication key
  81. Please select what kind of key you want:
  82. (1) RSA
  83. (2) ECC
  84. Your selection? 2
  85. Please select which elliptic curve you want:
  86. (1) Curve 25519
  87. (4) NIST P-384
  88. Your selection? 1
  89. The card will now be re-configured to generate a key of type: ed25519
  91. gpg/card> generate
  92. Make off-card backup of encryption key? (Y/n) n
  94. Please note that the factory settings of the PINs are
  95. PIN = '123456' Admin PIN = '12345678'
  96. You should change them using the command --change-pin
  98. Please specify how long the key should be valid.
  99. 0 = key does not expire
  100. <n> = key expires in n days
  101. <n>w = key expires in n weeks
  102. <n>m = key expires in n months
  103. <n>y = key expires in n years
  104. Key is valid for? (0)
  105. Key does not expire at all
  106. Is this correct? (y/N) y
  108. GnuPG needs to construct a user ID to identify your key.
  110. Real name: Dummy
  111. Email address: dummy@dummy.co
  112. Comment:
  113. You selected this USER-ID:
  114. "Dummy <dummy@dummy.co>"
  116. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  117. gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
  118. gpg: key B4A67FB911B1ED6B marked as ultimately trusted
  119. gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
  120. gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev'
  121. public and secret key created and signed.
  123. gpg/card> list
  125. Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
  126. Application ID ...: D2760001240103040006152800150000
  127. Application type .: OpenPGP
  128. Version ..........: 3.4
  129. Manufacturer .....: Yubico
  130. Serial number ....: 15280015
  131. Name of cardholder: [not set]
  132. Language prefs ...: [not set]
  133. Salutation .......:
  134. URL of public key : [not set]
  135. Login data .......: [not set]
  136. Signature PIN ....: not forced
  137. Key attributes ...: ed25519 cv25519 ed25519
  138. Max. PIN lengths .: 127 127 127
  139. PIN retry counter : 3 0 3
  140. Signature counter : 4
  141. KDF setting ......: off
  142. Signature key ....: A157 C7E1 5F3D 6C74 45B4 0626 B4A6 7FB9 11B1 ED6B
  143. created ....: 2020-10-05 09:45:47
  144. Encryption key....: 2B46 118B DEB3 4AAC 4951 63DE 286C 74DF 1104 5D46
  145. created ....: 2020-10-05 09:45:47
  146. Authentication key: FFE2 8767 DD98 CD3F 587A 19F9 B1B9 E836 16EF 39E7
  147. created ....: 2020-10-05 09:45:47
  148. General key info..:
  149. pub ed25519/B4A67FB911B1ED6B 2020-10-05 Dummy <dummy@dummy.co>
  150. sec> ed25519/B4A67FB911B1ED6B created: 2020-10-05 expires: never
  151. card-no: 0006 15280015
  152. ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never
  153. card-no: 0006 15280015
  154. ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never
  155. card-no: 0006 15280015
  156. gpg/card> quit
  157. pub ed25519 2020-10-05 [SC]
  158. A157C7E15F3D6C7445B40626B4A67FB911B1ED6B
  159. uid Dummy <dummy@dummy.co>
  160. sub ed25519 2020-10-05 [A]
  161. sub cv25519 2020-10-05 [E]
  163. $ ssh-add -L
  164. ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
  166. $ mkdir sshca
  167. $ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
  168. $ cat sshca/ca.pub
  169. ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
  170. $ ssh-add -L > sshca/id_ed25519.pub
  171. $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
  172. Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
  173. $ mkdir ~/.ssh
  174. $ cp sshca/id_ed25519-cert.pub ~/.ssh/
  175. $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
  176. .ssh/id_ed25519-cert.pub:
  177. Type: ssh-ed25519-cert-v01@openssh.com user certificate
  178. Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM
  179. Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519)
  180. Key ID: "test-dummy"
  181. Serial: 0
  182. Valid: forever
  183. Principals: (none)
  184. Critical Options: (none)
  185. Extensions:
  186. permit-X11-forwarding
  187. permit-agent-forwarding
  188. permit-port-forwarding
  189. permit-pty
  190. permit-user-rc
  191. </pre>
  192. At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.
  193. You should have something like :
  195. server:~# cat .ssh/authorized_keys
  196. cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
  198. Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys](http://man.he.net/man5/authorized_keys)
  200. Now, try to login :
  202. $ ssh root@server
  203. sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
  204. Password:
  206. So we're completely out of luck : authentication doesn't works.
  208. For comparison, let's try with an NIST P384 key :
  210. $ ykman openpgp reset
  211. WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
  212. Resetting OpenPGP data, don't remove your YubiKey...
  213. Success! All data has been cleared and default PINs are set.
  214. PIN: 123456
  215. Reset code: NOT SET
  216. Admin PIN: 12345678
  217. $ rm -R .gnupg
  218. $ rm -R .ssh
  219. $ gpg --card-edit
  221. Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
  222. Application ID ...: D2760001240103040006152800150000
  223. Application type .: OpenPGP
  224. Version ..........: 3.4
  225. Manufacturer .....: Yubico
  226. Serial number ....: 15280015
  227. Name of cardholder: [not set]
  228. Language prefs ...: [not set]
  229. Salutation .......:
  230. URL of public key : [not set]
  231. Login data .......: [not set]
  232. Signature PIN ....: not forced
  233. Key attributes ...: rsa2048 rsa2048 rsa2048
  234. Max. PIN lengths .: 127 127 127
  235. PIN retry counter : 3 0 3
  236. Signature counter : 0
  237. KDF setting ......: off
  238. Signature key ....: [none]
  239. Encryption key....: [none]
  240. Authentication key: [none]
  241. General key info..: [none]
  243. gpg/card> admin
  244. Admin commands are allowed
  246. gpg/card> key-attr
  247. Changing card key attribute for: Signature key
  248. Please select what kind of key you want:
  249. (1) RSA
  250. (2) ECC
  251. Your selection? 2
  252. Please select which elliptic curve you want:
  253. (1) Curve 25519
  254. (4) NIST P-384
  255. Your selection? 4
  256. The card will now be re-configured to generate a key of type: nistp384
  257. Note: There is no guarantee that the card supports the requested size.
  258. If the key generation does not succeed, please check the
  259. documentation of your card to see what sizes are allowed.
  260. Changing card key attribute for: Encryption key
  261. Please select what kind of key you want:
  262. (1) RSA
  263. (2) ECC
  264. Your selection? 2
  265. Please select which elliptic curve you want:
  266. (1) Curve 25519
  267. (4) NIST P-384
  268. Your selection? 4
  269. The card will now be re-configured to generate a key of type: nistp384
  270. Changing card key attribute for: Authentication key
  271. Please select what kind of key you want:
  272. (1) RSA
  273. (2) ECC
  274. Your selection? 2
  275. Please select which elliptic curve you want:
  276. (1) Curve 25519
  277. (4) NIST P-384
  278. Your selection? 4
  279. The card will now be re-configured to generate a key of type: nistp384
  281. gpg/card> generate
  282. Make off-card backup of encryption key? (Y/n) n
  284. Please note that the factory settings of the PINs are
  285. PIN = '123456' Admin PIN = '12345678'
  286. You should change them using the command --change-pin
  288. Please specify how long the key should be valid.
  289. 0 = key does not expire
  290. <n> = key expires in n days
  291. <n>w = key expires in n weeks
  292. <n>m = key expires in n months
  293. <n>y = key expires in n years
  294. Key is valid for? (0)
  295. Key does not expire at all
  296. Is this correct? (y/N) y
  298. GnuPG needs to construct a user ID to identify your key.
  300. Real name: Dummy
  301. Email address: dummy@dummy.co
  302. Comment:
  303. You selected this USER-ID:
  304. "Dummy <dummy@dummy.co>"
  306. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
  307. gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
  308. gpg: key BA792909F5154B7A marked as ultimately trusted
  309. gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
  310. gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
  311. public and secret key created and signed.
  314. gpg/card> list
  316. Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
  317. Application ID ...: D2760001240103040006152800150000
  318. Application type .: OpenPGP
  319. Version ..........: 3.4
  320. Manufacturer .....: Yubico
  321. Serial number ....: 15280015
  322. Name of cardholder: [not set]
  323. Language prefs ...: [not set]
  324. Salutation .......:
  325. URL of public key : [not set]
  326. Login data .......: [not set]
  327. Signature PIN ....: not forced
  328. Key attributes ...: nistp384 nistp384 nistp384
  329. Max. PIN lengths .: 127 127 127
  330. PIN retry counter : 3 0 3
  331. Signature counter : 4
  332. KDF setting ......: off
  333. Signature key ....: B591 751A 56B4 2EA2 5C8B EF60 BA79 2909 F515 4B7A
  334. created ....: 2020-10-05 10:04:12
  335. Encryption key....: F087 DFD0 65E8 AFE3 8835 41EA 062D F688 F54D 721D
  336. created ....: 2020-10-05 10:04:12
  337. Authentication key: 8556 35FB BFD2 E642 8CFC D41B 47B0 098B 165E 8325
  338. created ....: 2020-10-05 10:04:12
  339. General key info..:
  340. pub nistp384/BA792909F5154B7A 2020-10-05 Dummy <dummy@dummy.co>
  341. sec> nistp384/BA792909F5154B7A created: 2020-10-05 expires: never
  342. card-no: 0006 15280015
  343. ssb> nistp384/47B0098B165E8325 created: 2020-10-05 expires: never
  344. card-no: 0006 15280015
  345. ssb> nistp384/062DF688F54D721D created: 2020-10-05 expires: never
  346. card-no: 0006 15280015
  348. gpg/card> quit
  349. pub nistp384 2020-10-05 [SC]
  350. B591751A56B42EA25C8BEF60BA792909F5154B7A
  351. uid Dummy <dummy@dummy.co>
  352. sub nistp384 2020-10-05 [A]
  353. sub nistp384 2020-10-05 [E]
  355. $ ssh-add -L > sshca/id_ecdsa.pub
  356. $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub
  357. Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
  358. $ cp sshca/id_ecdsa-cert.pub ~/.ssh/
  359. $ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub
  360. .ssh/id_ecdsa-cert.pub:
  361. Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
  362. Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
  363. Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519)
  364. Key ID: "test-dummy"
  365. Serial: 0
  366. Valid: forever
  367. Principals: (none)
  368. Critical Options: (none)
  369. Extensions:
  370. permit-X11-forwarding
  371. permit-agent-forwarding
  372. permit-port-forwarding
  373. permit-pty
  374. permit-user-rc
  375. $ ssh root@server
  376. Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
  377. root@server:~#
  379. **Authentication is working as expected here !**