diff --git a/ssh/yubibug.md b/ssh/yubibug.md index 94f83e9..ab44d04 100644 --- a/ssh/yubibug.md +++ b/ssh/yubibug.md @@ -105,20 +105,20 @@ Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. -Real name: Dummy -Email address: dummy@dummy.co +Real name: Dummy +Email address: dummy@dummy.co Comment: You selected this USER-ID: "Dummy " -Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O +Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key B4A67FB911B1ED6B marked as ultimately trusted gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev' public and secret key created and signed. -gpg/card> list +gpg/card> list Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: D2760001240103040006152800150000 @@ -151,26 +151,25 @@ ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never card-no: 0006 15280015 ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never card-no: 0006 15280015 -gpg/card> quit +gpg/card> quit pub ed25519 2020-10-05 [SC] A157C7E15F3D6C7445B40626B4A67FB911B1ED6B uid Dummy sub ed25519 2020-10-05 [A] sub cv25519 2020-10-05 [E] -$ ssh-add -L +$ ssh-add -L ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 - -$ mkdir sshca -$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca -$ cat sshca/ca.pub +$ mkdir sshca +$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca +$ cat sshca/ca.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA -$ ssh-add -L > sshca/id_ed25519.pub -$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub +$ ssh-add -L > sshca/id_ed25519.pub +$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever -$ mkdir ~/.ssh -$ cp sshca/id_ed25519-cert.pub ~/.ssh/ -$ ssh-keygen -Lf .ssh/id_ed25519-cert.pub +$ mkdir ~/.ssh +$ cp sshca/id_ed25519-cert.pub ~/.ssh/ +$ ssh-keygen -Lf .ssh/id_ed25519-cert.pub .ssh/id_ed25519-cert.pub: Type: ssh-ed25519-cert-v01@openssh.com user certificate Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM @@ -190,188 +189,189 @@ $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory. You should have something like : - server:~# cat .ssh/authorized_keys + server:~# cat .ssh/authorized_keys cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys](http://man.he.net/man5/authorized_keys) Now, try to login : - - $ ssh root@server - sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation - Password: - +
+$ ssh root@server
+sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
+Password:
+
So we're completely out of luck : authentication doesn't works. For comparison, let's try with an NIST P384 key : - $ ykman openpgp reset - WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y - Resetting OpenPGP data, don't remove your YubiKey... - Success! All data has been cleared and default PINs are set. - PIN: 123456 - Reset code: NOT SET - Admin PIN: 12345678 - $ rm -R .gnupg - $ rm -R .ssh - $ gpg --card-edit - - Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 - Application ID ...: D2760001240103040006152800150000 - Application type .: OpenPGP - Version ..........: 3.4 - Manufacturer .....: Yubico - Serial number ....: 15280015 - Name of cardholder: [not set] - Language prefs ...: [not set] - Salutation .......: - URL of public key : [not set] - Login data .......: [not set] - Signature PIN ....: not forced - Key attributes ...: rsa2048 rsa2048 rsa2048 - Max. PIN lengths .: 127 127 127 - PIN retry counter : 3 0 3 - Signature counter : 0 - KDF setting ......: off - Signature key ....: [none] - Encryption key....: [none] - Authentication key: [none] - General key info..: [none] - - gpg/card> admin - Admin commands are allowed - - gpg/card> key-attr - Changing card key attribute for: Signature key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: - (1) Curve 25519 - (4) NIST P-384 - Your selection? 4 - The card will now be re-configured to generate a key of type: nistp384 - Note: There is no guarantee that the card supports the requested size. - If the key generation does not succeed, please check the - documentation of your card to see what sizes are allowed. - Changing card key attribute for: Encryption key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: - (1) Curve 25519 - (4) NIST P-384 - Your selection? 4 - The card will now be re-configured to generate a key of type: nistp384 - Changing card key attribute for: Authentication key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: - (1) Curve 25519 - (4) NIST P-384 - Your selection? 4 - The card will now be re-configured to generate a key of type: nistp384 - - gpg/card> generate - Make off-card backup of encryption key? (Y/n) n - - Please note that the factory settings of the PINs are - PIN = '123456' Admin PIN = '12345678' - You should change them using the command --change-pin - - Please specify how long the key should be valid. - 0 = key does not expire - = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years - Key is valid for? (0) - Key does not expire at all - Is this correct? (y/N) y - - GnuPG needs to construct a user ID to identify your key. - - Real name: Dummy - Email address: dummy@dummy.co - Comment: - You selected this USER-ID: - "Dummy " - - Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o - gpg: /home/user/.gnupg/trustdb.gpg: trustdb created - gpg: key BA792909F5154B7A marked as ultimately trusted - gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created - gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev' - public and secret key created and signed. - - - gpg/card> list - - Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 - Application ID ...: D2760001240103040006152800150000 - Application type .: OpenPGP - Version ..........: 3.4 - Manufacturer .....: Yubico - Serial number ....: 15280015 - Name of cardholder: [not set] - Language prefs ...: [not set] - Salutation .......: - URL of public key : [not set] - Login data .......: [not set] - Signature PIN ....: not forced - Key attributes ...: nistp384 nistp384 nistp384 - Max. PIN lengths .: 127 127 127 - PIN retry counter : 3 0 3 - Signature counter : 4 - KDF setting ......: off - Signature key ....: B591 751A 56B4 2EA2 5C8B EF60 BA79 2909 F515 4B7A - created ....: 2020-10-05 10:04:12 - Encryption key....: F087 DFD0 65E8 AFE3 8835 41EA 062D F688 F54D 721D - created ....: 2020-10-05 10:04:12 - Authentication key: 8556 35FB BFD2 E642 8CFC D41B 47B0 098B 165E 8325 - created ....: 2020-10-05 10:04:12 - General key info..: - pub nistp384/BA792909F5154B7A 2020-10-05 Dummy - sec> nistp384/BA792909F5154B7A created: 2020-10-05 expires: never - card-no: 0006 15280015 - ssb> nistp384/47B0098B165E8325 created: 2020-10-05 expires: never - card-no: 0006 15280015 - ssb> nistp384/062DF688F54D721D created: 2020-10-05 expires: never - card-no: 0006 15280015 - - gpg/card> quit - pub nistp384 2020-10-05 [SC] - B591751A56B42EA25C8BEF60BA792909F5154B7A - uid Dummy - sub nistp384 2020-10-05 [A] - sub nistp384 2020-10-05 [E] - - $ ssh-add -L > sshca/id_ecdsa.pub - $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub - Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever - $ cp sshca/id_ecdsa-cert.pub ~/.ssh/ - $ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub - .ssh/id_ecdsa-cert.pub: - Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate - Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk - Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519) - Key ID: "test-dummy" - Serial: 0 - Valid: forever - Principals: (none) - Critical Options: (none) - Extensions: - permit-X11-forwarding - permit-agent-forwarding - permit-port-forwarding - permit-pty - permit-user-rc - $ ssh root@server - Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64) - root@server:~# +
+$ ykman openpgp reset
+WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
+Resetting OpenPGP data, don't remove your YubiKey...
+Success! All data has been cleared and default PINs are set.
+PIN:         123456
+Reset code:  NOT SET
+Admin PIN:   12345678
+$ rm -R .gnupg
+$ rm -R .ssh
+$ gpg --card-edit
+
+Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
+Application ID ...: D2760001240103040006152800150000
+Application type .: OpenPGP
+Version ..........: 3.4
+Manufacturer .....: Yubico
+Serial number ....: 15280015
+Name of cardholder: [not set]
+Language prefs ...: [not set]
+Salutation .......:
+URL of public key : [not set]
+Login data .......: [not set]
+Signature PIN ....: not forced
+Key attributes ...: rsa2048 rsa2048 rsa2048
+Max. PIN lengths .: 127 127 127
+PIN retry counter : 3 0 3
+Signature counter : 0
+KDF setting ......: off
+Signature key ....: [none]
+Encryption key....: [none]
+Authentication key: [none]
+General key info..: [none]
+
+gpg/card> admin
+Admin commands are allowed
+
+gpg/card> key-attr
+Changing card key attribute for: Signature key
+Please select what kind of key you want:
+   (1) RSA
+   (2) ECC
+Your selection? 2
+Please select which elliptic curve you want:
+   (1) Curve 25519
+   (4) NIST P-384
+Your selection? 4
+The card will now be re-configured to generate a key of type: nistp384
+Note: There is no guarantee that the card supports the requested size.
+      If the key generation does not succeed, please check the
+      documentation of your card to see what sizes are allowed.
+Changing card key attribute for: Encryption key
+Please select what kind of key you want:
+   (1) RSA
+   (2) ECC
+Your selection? 2
+Please select which elliptic curve you want:
+   (1) Curve 25519
+   (4) NIST P-384
+Your selection? 4
+The card will now be re-configured to generate a key of type: nistp384
+Changing card key attribute for: Authentication key
+Please select what kind of key you want:
+   (1) RSA
+   (2) ECC
+Your selection? 2
+Please select which elliptic curve you want:
+   (1) Curve 25519
+   (4) NIST P-384
+Your selection? 4
+The card will now be re-configured to generate a key of type: nistp384
+
+gpg/card> generate
+Make off-card backup of encryption key? (Y/n) n
+
+Please note that the factory settings of the PINs are
+   PIN = '123456'     Admin PIN = '12345678'
+You should change them using the command --change-pin
+
+Please specify how long the key should be valid.
+         0 = key does not expire
+        = key expires in n days
+      w = key expires in n weeks
+      m = key expires in n months
+      y = key expires in n years
+Key is valid for? (0)
+Key does not expire at all
+Is this correct? (y/N) y
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: Dummy
+Email address: dummy@dummy.co
+Comment:
+You selected this USER-ID:
+    "Dummy "
+
+Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
+gpg: key BA792909F5154B7A marked as ultimately trusted
+gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
+gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
+public and secret key created and signed.
+
+gpg/card> list
+
+Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
+Application ID ...: D2760001240103040006152800150000
+Application type .: OpenPGP
+Version ..........: 3.4
+Manufacturer .....: Yubico
+Serial number ....: 15280015
+Name of cardholder: [not set]
+Language prefs ...: [not set]
+Salutation .......:
+URL of public key : [not set]
+Login data .......: [not set]
+Signature PIN ....: not forced
+Key attributes ...: nistp384 nistp384 nistp384
+Max. PIN lengths .: 127 127 127
+PIN retry counter : 3 0 3
+Signature counter : 4
+KDF setting ......: off
+Signature key ....: B591 751A 56B4 2EA2 5C8B  EF60 BA79 2909 F515 4B7A
+      created ....: 2020-10-05 10:04:12
+Encryption key....: F087 DFD0 65E8 AFE3 8835  41EA 062D F688 F54D 721D
+      created ....: 2020-10-05 10:04:12
+Authentication key: 8556 35FB BFD2 E642 8CFC  D41B 47B0 098B 165E 8325
+      created ....: 2020-10-05 10:04:12
+General key info..:
+pub  nistp384/BA792909F5154B7A 2020-10-05 Dummy 
+sec>  nistp384/BA792909F5154B7A  created: 2020-10-05  expires: never     
+                                 card-no: 0006 15280015
+ssb>  nistp384/47B0098B165E8325  created: 2020-10-05  expires: never     
+                                 card-no: 0006 15280015
+ssb>  nistp384/062DF688F54D721D  created: 2020-10-05  expires: never     
+                                 card-no: 0006 15280015
+
+gpg/card> quit
+pub   nistp384 2020-10-05 [SC]
+      B591751A56B42EA25C8BEF60BA792909F5154B7A
+uid                      Dummy 
+sub   nistp384 2020-10-05 [A]
+sub   nistp384 2020-10-05 [E]
+
+$ ssh-add -L > sshca/id_ecdsa.pub
+$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub
+Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
+$ cp sshca/id_ecdsa-cert.pub ~/.ssh/
+$ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub
+.ssh/id_ecdsa-cert.pub:
+        Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
+        Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
+        Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519)
+        Key ID: "test-dummy"
+        Serial: 0
+        Valid: forever
+        Principals: (none)
+        Critical Options: (none)
+        Extensions:
+                permit-X11-forwarding
+                permit-agent-forwarding
+                permit-port-forwarding
+                permit-pty
+                permit-user-rc
+$ ssh root@server
+Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
+root@server:~#
+
**Authentication is working as expected here !**