@ -105,20 +105,20 @@ Is this correct? (y/N) <b>y</b>
GnuPG needs to construct a user ID to identify your key.
Real name: Dummy
Email address: dummy@dummy.co
Real name: < b > < / b >
Email address: < b > < / b >
Comment:
You selected this USER-ID:
"Dummy < dummy @ dummy . co > "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? < b > < / b >
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key B4A67FB911B1ED6B marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev'
public and secret key created and signed.
gpg/card> list
gpg/card> < b > < / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
@ -151,26 +151,25 @@ ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never
card-no: 0006 15280015
ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never
card-no: 0006 15280015
gpg/card> quit
gpg/card> < b > < / b >
pub ed25519 2020-10-05 [SC]
A157C7E15F3D6C7445B40626B4A67FB911B1ED6B
uid Dummy < dummy @ dummy . co >
sub ed25519 2020-10-05 [A]
sub cv25519 2020-10-05 [E]
$ ssh-add -L
$ < b > < / b >
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
$ < b > mkdir sshca< / b >
$ < b > ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca< / b >
$ < b > cat sshca/ca.pub< / b >
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
$ < b > < / b >
$ < b > < / b >
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
$ mkdir ~/.ssh
$ cp sshca/id_ed25519-cert.pub ~/.ssh/
$ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
$ < b > < / b >
$ < b > < / b >
$ < b > < / b >
.ssh/id_ed25519-cert.pub:
Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM
@ -190,31 +189,32 @@ $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub
At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory.
You should have something like :
server:~# cat .ssh/authorized_keys
server:~# < b > < / b >
cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
Note the line beginning with cert-authority which is not common. For reference, read "AUTHORIZED_KEYS FILE FORMAT" chapter here : [http://man.he.net/man5/authorized_keys ](http://man.he.net/man5/authorized_keys )
Now, try to login :
$ ssh root@server
< pre >
$ < b > ssh root@server< / b >
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password:
< / pre >
So we're completely out of luck : authentication doesn't works.
For comparison, let's try with an NIST P384 key :
$ ykman openpgp reset
< pre >
$ < b > ykman openpgp reset< / b >
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set.
PIN: 123456
Reset code: NOT SET
Admin PIN: 12345678
$ rm -R .gnupg
$ rm -R .ssh
$ gpg --card-edit
$ < b > rm -R .gnupg< / b >
$ < b > rm -R .ssh< / b >
$ < b > gpg --card-edit< / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
@ -238,19 +238,19 @@ For comparison, let's try with an NIST P384 key :
Authentication key: [none]
General key info..: [none]
gpg/card> admin
gpg/card> < b > < / b >
Admin commands are allowed
gpg/card> key-attr
gpg/card> < b > < / b >
Changing card key attribute for: Signature key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Your selection? < b > < / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
Your selection? < b > < / b >
The card will now be re-configured to generate a key of type: nistp384
Note: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
@ -259,25 +259,25 @@ For comparison, let's try with an NIST P384 key :
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Your selection? < b > < / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
Your selection? < b > < / b >
The card will now be re-configured to generate a key of type: nistp384
Changing card key attribute for: Authentication key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 2
Your selection? < b > < / b >
Please select which elliptic curve you want:
(1) Curve 25519
(4) NIST P-384
Your selection? 4
Your selection? < b > < / b >
The card will now be re-configured to generate a key of type: nistp384
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
gpg/card> < b > < / b >
Make off-card backup of encryption key? (Y/n) < b > n< / b >
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
@ -291,25 +291,24 @@ For comparison, let's try with an NIST P384 key :
< n > y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Is this correct? (y/N) < b > < / b >
GnuPG needs to construct a user ID to identify your key.
Real name: Dummy
Email address: dummy@dummy.co
Real name: < b > < / b >
Email address: < b > < / b >
Comment:
You selected this USER-ID:
"Dummy < dummy @ dummy . co > "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? < b > < / b >
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key BA792909F5154B7A marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B591751A56B42EA25C8BEF60BA792909F5154B7A.rev'
public and secret key created and signed.
gpg/card> list
gpg/card> < b > list< / b >
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006152800150000
@ -343,18 +342,18 @@ For comparison, let's try with an NIST P384 key :
ssb> nistp384/062DF688F54D721D created: 2020-10-05 expires: never
card-no: 0006 15280015
gpg/card> quit
gpg/card> < b > < / b >
pub nistp384 2020-10-05 [SC]
B591751A56B42EA25C8BEF60BA792909F5154B7A
uid Dummy < dummy @ dummy . co >
sub nistp384 2020-10-05 [A]
sub nistp384 2020-10-05 [E]
$ ssh-add -L > sshca/id_ecdsa.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub
$ < b > ssh-add -L > sshca/id_ecdsa.pub< / b >
$ < b > ssh-keygen -s sshca/ca -I test-dummy sshca/id_ecdsa.pub< / b >
Signed user key sshca/id_ecdsa-cert.pub: id "test-dummy" serial 0 valid forever
$ cp sshca/id_ecdsa-cert.pub ~/.ssh/
$ ssh-keygen -Lf .ssh/id_ecdsa-cert.pub
$ < b > cp sshca/id_ecdsa-cert.pub ~/.ssh/< / b >
$ < b > ssh-keygen -Lf .ssh/id_ecdsa-cert.pub< / b >
.ssh/id_ecdsa-cert.pub:
Type: ecdsa-sha2-nistp384-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:N3JmjLOQ5VClsChOlmeyh5a8kF0RCMdAOz1VWde8lwk
@ -370,8 +369,9 @@ For comparison, let's try with an NIST P384 key :
permit-port-forwarding
permit-pty
permit-user-rc
$ ssh root@server
$ < b > ssh root@server< / b >
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
root@server:~#
< / pre >
**Authentication is working as expected here !**
