Better visibility

4 years ago · 05bba46002
1 changed files with 189 additions and 189 deletions
--- a/ssh/yubibug.md
+++ b/ssh/yubibug.md
@ -105,20 +105,20 @@ Is this correct? (y/N) <b>y</b>
 GnuPG needs to construct a user ID to identify your key.
 Real name: Dummy
 Email address: dummy@dummy.co
 Real name: <b>Dummy</b>
 Email address: <b>dummy@dummy.co</b>
 Comment:
 You selected this USER-ID:
    "Dummy <dummy@dummy.co>"
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <b>O</b>
 gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
 gpg: key B4A67FB911B1ED6B marked as ultimately trusted
 gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
 gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev'
 public and secret key created and signed.
 gpg/card> list
 gpg/card> <b>list</b>
 Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
 Application ID ...: D2760001240103040006152800150000
@ -151,26 +151,25 @@ ssb>  ed25519/B1B9E83616EF39E7  created: 2020-10-05  expires: never
                                card-no: 0006 15280015
 ssb>  cv25519/286C74DF11045D46  created: 2020-10-05  expires: never     
                                card-no: 0006 15280015
 gpg/card> quit
 gpg/card> <b>quit</b>
 pub   ed25519 2020-10-05 [SC]
      A157C7E15F3D6C7445B40626B4A67FB911B1ED6B
 uid                      Dummy <dummy@dummy.co>
 sub   ed25519 2020-10-05 [A]
 sub   cv25519 2020-10-05 [E]
 $ ssh-add -L
 $ <b>ssh-add -L</b>
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
 $ mkdir sshca
 $ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
 $ cat sshca/ca.pub
 $ <b>mkdir sshca</b>
 $ <b>ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca</b>
 $ <b>cat sshca/ca.pub</b>
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
 $ ssh-add -L > sshca/id_ed25519.pub
 $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
 $ <b>ssh-add -L > sshca/id_ed25519.pub</b>
 $ <b>ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub</b>
 Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
 $ mkdir ~/.ssh
 $ cp sshca/id_ed25519-cert.pub ~/.ssh/
 $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
 $ <b>mkdir ~/.ssh</b>
 $ <b>cp sshca/id_ed25519-cert.pub ~/.ssh/</b>
 $ <b>ssh-keygen -Lf .ssh/id_ed25519-cert.pub</b>
 .ssh/id_ed25519-cert.pub:
        Type: ssh-ed25519-cert-v01@openssh.com user certificate
        Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM
@ -190,31 +189,32 @@ $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
 At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.
 You should have something like :
    server:~# cat .ssh/authorized_keys
    server:~# <b>cat .ssh/authorized_keys</b>
    cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
 Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys](http://man.he.net/man5/authorized_keys)
 Now, try to login :
    $ ssh root@server
 <pre>
 $ <b>ssh root@server</b>
 sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
 Password:
 </pre>
 So we're completely out of luck : authentication doesn't works.
 For comparison, let's try with an NIST P384 key :
    $ ykman openpgp reset
 <pre>
 $ <b>ykman openpgp reset</b>
 WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
 Resetting OpenPGP data, don't remove your YubiKey...
 Success! All data has been cleared and default PINs are set.
 PIN:         123456
 Reset code:  NOT SET
 Admin PIN:   12345678
    $ rm -R .gnupg
    $ rm -R .ssh
    $ gpg --card-edit
 $ <b>rm -R .gnupg</b>
 $ <b>rm -R .ssh</b>
 $ <b>gpg --card-edit</b>
 Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
 Application ID ...: D2760001240103040006152800150000
@ -238,19 +238,19 @@ For comparison, let's try with an NIST P384 key :
 Authentication key: [none]
 General key info..: [none]
    gpg/card> admin
 gpg/card> <b>admin</b>
 Admin commands are allowed
    gpg/card> key-attr
 gpg/card> <b>key-attr</b>
 Changing card key attribute for: Signature key
 Please select what kind of key you want:
   (1) RSA
   (2) ECC
    Your selection? 2
 Your selection? <b>2</b>
 Please select which elliptic curve you want:
   (1) Curve 25519
   (4) NIST P-384
    Your selection? 4
 Your selection? <b>4</b>
 The card will now be re-configured to generate a key of type: nistp384
 Note: There is no guarantee that the card supports the requested size.
      If the key generation does not succeed, please check the
@ -259,25 +259,25 @@ For comparison, let's try with an NIST P384 key :
 Please select what kind of key you want:
   (1) RSA
   (2) ECC
    Your selection? 2
 Your selection? <b>2</b>
 Please select which elliptic curve you want:
   (1) Curve 25519
   (4) NIST P-384
    Your selection? 4
 Your selection? <b>4</b>
 The card will now be re-configured to generate a key of type: nistp384
 Changing card key attribute for: Authentication key
 Please select what kind of key you want:
   (1) RSA
   (2) ECC
    Your selection? 2
 Your selection? <b>2</b>
 Please select which elliptic curve you want:
   (1) Curve 25519
   (4) NIST P-384
    Your selection? 4
 Your selection? <b>4</b>
 The card will now be re-configured to generate a key of type: nistp384
    gpg/card> generate
    Make off-card backup of encryption key? (Y/n) n
 gpg/card> <b>generate</b>
 Make off-card backup of encryption key? (Y/n) <b>n</b>
 Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
@ -291,25 +291,24 @@ For comparison, let's try with an NIST P384 key :
      <n>y = key expires in n years
 Key is valid for? (0)
 Key does not expire at all
    Is this correct? (y/N) y
 Is this correct? (y/N) <b>y</b>
 GnuPG needs to construct a user ID to identify your key.
    Real name: Dummy
    Email address: dummy@dummy.co
 Real name: <b>Dummy</b>
 Email address: <b>dummy@dummy.co</b>
 Comment:
 You selected this USER-ID:
    "Dummy <dummy@dummy.co>"
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <b>o</b>
 gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
 gpg: key BA792909F5154B7A marked as ultimately trusted
 gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
 gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
 public and secret key created and signed.
    gpg/card> list
 gpg/card> <b>list</b>
 Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
 Application ID ...: D2760001240103040006152800150000
@ -343,18 +342,18 @@ For comparison, let's try with an NIST P384 key :
 ssb>  nistp384/062DF688F54D721D  created: 2020-10-05  expires: never     
                                 card-no: 0006 15280015
    gpg/card> quit
 gpg/card> <b>quit</b>
 pub   nistp384 2020-10-05 [SC]
      B591751A56B42EA25C8BEF60BA792909F5154B7A
 uid                      Dummy <dummy@dummy.co>
 sub   nistp384 2020-10-05 [A]
 sub   nistp384 2020-10-05 [E]
    $ ssh-add -L > sshca/id_ecdsa.pub
    $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub
 $ <b>ssh-add -L > sshca/id_ecdsa.pub</b>
 $ <b>ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub</b>
 Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
    $ cp sshca/id_ecdsa-cert.pub ~/.ssh/
    $ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub
 $ <b>cp sshca/id_ecdsa-cert.pub ~/.ssh/</b>
 $ <b>ssh-keygen -Lf .ssh/id_ecdsa-cert.pub</b>
 .ssh/id_ecdsa-cert.pub:
        Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
        Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
@ -370,8 +369,9 @@ For comparison, let's try with an NIST P384 key :
                permit-port-forwarding
                permit-pty
                permit-user-rc
    $ ssh root@server
 $ <b>ssh root@server</b>
 Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
 root@server:~#
 </pre>
 **Authentication is working as expected here !**