@ -105,20 +105,20 @@ Is this correct? (y/N) <b>y</b>
GnuPG needs to construct a user ID to identify your key.GnuPG needs to construct a user ID to identify your key.
Real name: Dummy
Email address: dummy@dummy.co
Real name: < b > < / b >
Email address: < b > < / b >
Comment:Comment:
You selected this USER-ID:You selected this USER-ID:
"Dummy < dummy @ dummy . co > " "Dummy < dummy @ dummy . co > "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? < b > < / b >
gpg: /home/user/.gnupg/trustdb.gpg: trustdb createdgpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key B4A67FB911B1ED6B marked as ultimately trustedgpg: key B4A67FB911B1ED6B marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' createdgpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev'gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev'
public and secret key created and signed.public and secret key created and signed.
gpg/card> list
gpg/card> < b > < / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000Application ID ...: D2760001240103040006152800150000
@ -151,26 +151,25 @@ ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never
card-no: 0006 15280015 card-no: 0006 15280015
ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never
card-no: 0006 15280015 card-no: 0006 15280015
gpg/card> quit
gpg/card> < b > < / b >
pub ed25519 2020-10-05 [SC]pub ed25519 2020-10-05 [SC]
A157C7E15F3D6C7445B40626B4A67FB911B1ED6B A157C7E15F3D6C7445B40626B4A67FB911B1ED6B
uid Dummy < dummy @ dummy . co > uid Dummy < dummy @ dummy . co >
sub ed25519 2020-10-05 [A]sub ed25519 2020-10-05 [A]
sub cv25519 2020-10-05 [E]sub cv25519 2020-10-05 [E]
$ ssh-add -L
$ < b > < / b >
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
$ < b > mkdir sshca< / b >
$ < b > ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca< / b >
$ < b > cat sshca/ca.pub< / b >
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CAssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
$ < b > < / b >
$ < b > < / b >
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid foreverSigned user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
$ mkdir ~/.ssh
$ cp sshca/id_ed25519-cert.pub ~/.ssh/
$ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
$ < b > < / b >
$ < b > < / b >
$ < b > < / b >
.ssh/id_ed25519-cert.pub:.ssh/id_ed25519-cert.pub:
Type: ssh-ed25519-cert-v01@openssh.com user certificate Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM
@ -190,188 +189,189 @@ $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.
You should have something like :You should have something like :
server:~# cat .ssh/authorized_keys
server:~# < b > < / b >
cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys ](http://man.he.net/man5/authorized_keys )Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys ](http://man.he.net/man5/authorized_keys )
Now, try to login :Now, try to login :
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password:
< pre >
$ < b > ssh root@server< / b >
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password:
< / pre >
So we're completely out of luck : authentication doesn't works.So we're completely out of luck : authentication doesn't works.
For comparison, let's try with an NIST P384 key :For comparison, let's try with an NIST P384 key :
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set.
PIN: 123456
Reset code: NOT SET
Admin PIN: 12345678
$ rm -R .gnupg
$ rm -R .ssh
$ gpg --card-edit
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15280015
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> key-attr
Changing card key attribute for: Signature key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
The card will now be re-configured to generate a key of type: nistp384
Note: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
documentation of your card to see what sizes are allowed.
Changing card key attribute for: Encryption key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
The card will now be re-configured to generate a key of type: nistp384
Changing card key attribute for: Authentication key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
The card will now be re-configured to generate a key of type: nistp384
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
Please specify how long the key should be valid.
0 = key does not expire
< n > = key expires in n days
< n > w = key expires in n weeks
< n > m = key expires in n months
< n > y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Dummy
Email address: dummy@dummy.co
Comment:
You selected this USER-ID:
"Dummy < dummy @ dummy . co > "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key BA792909F5154B7A marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
public and secret key created and signed.
gpg/card> list
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15280015
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: nistp384 nistp384 nistp384
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
KDF setting ......: off
Signature key ....: B591 751A 56B4 2EA2 5C8B EF60 BA79 2909 F515 4B7A
created ....: 2020-10-05 10:04:12
Encryption key....: F087 DFD0 65E8 AFE3 8835 41EA 062D F688 F54D 721D
created ....: 2020-10-05 10:04:12
Authentication key: 8556 35FB BFD2 E642 8CFC D41B 47B0 098B 165E 8325
created ....: 2020-10-05 10:04:12
General key info..:
pub nistp384/BA792909F5154B7A 2020-10-05 Dummy < dummy @ dummy . co >
sec> nistp384/BA792909F5154B7A created: 2020-10-05 expires: never
card-no: 0006 15280015
ssb> nistp384/47B0098B165E8325 created: 2020-10-05 expires: never
card-no: 0006 15280015
ssb> nistp384/062DF688F54D721D created: 2020-10-05 expires: never
card-no: 0006 15280015
gpg/card> quit
pub nistp384 2020-10-05 [SC]
B591751A56B42EA25C8BEF60BA792909F5154B7A
uid Dummy < dummy @ dummy . co >
sub nistp384 2020-10-05 [A]
sub nistp384 2020-10-05 [E]
$ ssh-add -L > sshca/id_ecdsa.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub
Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
$ cp sshca/id_ecdsa-cert.pub ~/.ssh/
$ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub
.ssh/id_ecdsa-cert.pub:
Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519)
Key ID: "test-dummy"
Serial: 0
Valid: forever
Principals: (none)
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
$ ssh root@server
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
root@server:~#
< pre >
$ < b > ykman openpgp reset< / b >
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set.
PIN: 123456
Reset code: NOT SET
Admin PIN: 12345678
$ < b > rm -R .gnupg< / b >
$ < b > rm -R .ssh< / b >
$ < b > gpg --card-edit< / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15280015
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> < b > admin< / b >
Admin commands are allowed
gpg/card> < b > key-attr< / b >
Changing card key attribute for: Signature key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? < b > 2< / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? < b > 4< / b >
The card will now be re-configured to generate a key of type: nistp384
Note: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
documentation of your card to see what sizes are allowed.
Changing card key attribute for: Encryption key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? < b > 2< / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? < b > 4< / b >
The card will now be re-configured to generate a key of type: nistp384
Changing card key attribute for: Authentication key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? < b > 2< / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? < b > 4< / b >
The card will now be re-configured to generate a key of type: nistp384
gpg/card> < b > generate< / b >
Make off-card backup of encryption key? (Y/n) < b > n< / b >
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
Please specify how long the key should be valid.
0 = key does not expire
< n > = key expires in n days
< n > w = key expires in n weeks
< n > m = key expires in n months
< n > y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) < b > y< / b >
GnuPG needs to construct a user ID to identify your key.
Real name: < b > Dummy< / b >
Email address: < b > dummy@dummy.co< / b >
Comment:
You selected this USER-ID:
"Dummy < dummy @ dummy . co > "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? < b > o< / b >
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key BA792909F5154B7A marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
public and secret key created and signed.
gpg/card> < b > list< / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15280015
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: nistp384 nistp384 nistp384
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
KDF setting ......: off
Signature key ....: B591 751A 56B4 2EA2 5C8B EF60 BA79 2909 F515 4B7A
created ....: 2020-10-05 10:04:12
Encryption key....: F087 DFD0 65E8 AFE3 8835 41EA 062D F688 F54D 721D
created ....: 2020-10-05 10:04:12
Authentication key: 8556 35FB BFD2 E642 8CFC D41B 47B0 098B 165E 8325
created ....: 2020-10-05 10:04:12
General key info..:
pub nistp384/BA792909F5154B7A 2020-10-05 Dummy < dummy @ dummy . co >
sec> nistp384/BA792909F5154B7A created: 2020-10-05 expires: never
card-no: 0006 15280015
ssb> nistp384/47B0098B165E8325 created: 2020-10-05 expires: never
card-no: 0006 15280015
ssb> nistp384/062DF688F54D721D created: 2020-10-05 expires: never
card-no: 0006 15280015
gpg/card> < b > quit< / b >
pub nistp384 2020-10-05 [SC]
B591751A56B42EA25C8BEF60BA792909F5154B7A
uid Dummy < dummy @ dummy . co >
sub nistp384 2020-10-05 [A]
sub nistp384 2020-10-05 [E]
$ < b > ssh-add -L > sshca/id_ecdsa.pub< / b >
$ < b > ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub< / b >
Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
$ < b > cp sshca/id_ecdsa-cert.pub ~/.ssh/< / b >
$ < b > ssh-keygen -Lf .ssh/id_ecdsa-cert.pub< / b >
.ssh/id_ecdsa-cert.pub:
Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519)
Key ID: "test-dummy"
Serial: 0
Valid: forever
Principals: (none)
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
$ < b > ssh root@server< / b >
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
root@server:~#
< / pre >
**Authentication is working as expected here !****Authentication is working as expected here !**
