diff --git a/ssh/yubibug.md b/ssh/yubibug.md index dbe3fba..94f83e9 100644 --- a/ssh/yubibug.md +++ b/ssh/yubibug.md @@ -23,171 +23,169 @@ Admin PIN: 12345678 Good, let's start with key generation :
- $ gpg --card-edit - gpg: directory '/home/user/.gnupg' created - gpg: keybox '/home/user/.gnupg/pubring.kbx' created - - Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 - Application ID ...: D2760001240103040006152800150000 - Application type .: OpenPGP - Version ..........: 3.4 - Manufacturer .....: Yubico - Serial number ....: 15280015 - Name of cardholder: [not set] - Language prefs ...: [not set] - Salutation .......: - URL of public key : [not set] - Login data .......: [not set] - Signature PIN ....: not forced - Key attributes ...: rsa2048 rsa2048 rsa2048 - Max. PIN lengths .: 127 127 127 - PIN retry counter : 3 0 3 - Signature counter : 0 - KDF setting ......: off - Signature key ....: [none] - Encryption key....: [none] - Authentication key: [none] - General key info..: [none] - gpg/card> admin - Admin commands are allowed - gpg/card> admin - Admin commands are allowed - - gpg/card> key-attr - Changing card key attribute for: Signature key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: +$ gpg --card-edit +gpg: directory '/home/user/.gnupg' created +gpg: keybox '/home/user/.gnupg/pubring.kbx' created + +Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 +Application ID ...: D2760001240103040006152800150000 +Application type .: OpenPGP +Version ..........: 3.4 +Manufacturer .....: Yubico +Serial number ....: 15280015 +Name of cardholder: [not set] +Language prefs ...: [not set] +Salutation .......: +URL of public key : [not set] +Login data .......: [not set] +Signature PIN ....: not forced +Key attributes ...: rsa2048 rsa2048 rsa2048 +Max. PIN lengths .: 127 127 127 +PIN retry counter : 3 0 3 +Signature counter : 0 +KDF setting ......: off +Signature key ....: [none] +Encryption key....: [none] +Authentication key: [none] +General key info..: [none] +gpg/card> admin +Admin commands are allowed + +gpg/card> key-attr +Changing card key attribute for: Signature key +Please select what kind of key you want: + (1) RSA + (2) ECC +Your selection? 2 +Please select which elliptic curve you want: + (1) Curve 25519 + (4) NIST P-384 +Your selection? 1 +The card will now be re-configured to generate a key of type: ed25519 +Note: There is no guarantee that the card supports the requested size. + If the key generation does not succeed, please check the + documentation of your card to see what sizes are allowed. +Changing card key attribute for: Encryption key +Please select what kind of key you want: + (1) RSA + (2) ECC +Your selection? 2 +Please select which elliptic curve you want: + (1) Curve 25519 + (4) NIST P-384 +Your selection? 1 +The card will now be re-configured to generate a key of type: cv25519 +Changing card key attribute for: Authentication key +Please select what kind of key you want: + (1) RSA + (2) ECC +Your selection? 2 +Please select which elliptic curve you want: (1) Curve 25519 (4) NIST P-384 - Your selection? 1 + Your selection? 1 The card will now be re-configured to generate a key of type: ed25519 - Note: There is no guarantee that the card supports the requested size. - If the key generation does not succeed, please check the - documentation of your card to see what sizes are allowed. - Changing card key attribute for: Encryption key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: - (1) Curve 25519 - (4) NIST P-384 - Your selection? 1 - The card will now be re-configured to generate a key of type: cv25519 - Changing card key attribute for: Authentication key - Please select what kind of key you want: - (1) RSA - (2) ECC - Your selection? 2 - Please select which elliptic curve you want: - (1) Curve 25519 - (4) NIST P-384 - Your selection? 1 - The card will now be re-configured to generate a key of type: ed25519 - - gpg/card> generate - Make off-card backup of encryption key? (Y/n) n - - Please note that the factory settings of the PINs are - PIN = '123456' Admin PIN = '12345678' - You should change them using the command --change-pin - Please specify how long the key should be valid. - 0 = key does not expire -At this point, you have to copy the CA's public key into your server's authorized_keys file . This can't be done with ssh-copy-id as the CA's key is not loaded into you ssh-agent nor available in the ~/.ssh directory. You should have something like := key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years - Key is valid for? (0) - Key does not expire at all - Is this correct? (y/N) y - - GnuPG needs to construct a user ID to identify your key. - - Real name: Dummy - Email address: dummy@dummy.co - Comment: - You selected this USER-ID: - "Dummy " - - Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O - gpg: /home/user/.gnupg/trustdb.gpg: trustdb created - gpg: key B4A67FB911B1ED6B marked as ultimately trusted - gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created - gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev' - public and secret key created and signed. - - gpg/card> list - - Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 - Application ID ...: D2760001240103040006152800150000 - Application type .: OpenPGP - Version ..........: 3.4 - Manufacturer .....: Yubico - Serial number ....: 15280015 - Name of cardholder: [not set] - Language prefs ...: [not set] - Salutation .......: - URL of public key : [not set] - Login data .......: [not set] - Signature PIN ....: not forced - Key attributes ...: ed25519 cv25519 ed25519 - Max. PIN lengths .: 127 127 127 - PIN retry counter : 3 0 3 - Signature counter : 4 - KDF setting ......: off - Signature key ....: A157 C7E1 5F3D 6C74 45B4 0626 B4A6 7FB9 11B1 ED6B - created ....: 2020-10-05 09:45:47 - Encryption key....: 2B46 118B DEB3 4AAC 4951 63DE 286C 74DF 1104 5D46 - created ....: 2020-10-05 09:45:47 - Authentication key: FFE2 8767 DD98 CD3F 587A 19F9 B1B9 E836 16EF 39E7 - created ....: 2020-10-05 09:45:47 - General key info..: - pub ed25519/B4A67FB911B1ED6B 2020-10-05 Dummy - sec> ed25519/B4A67FB911B1ED6B created: 2020-10-05 expires: never - card-no: 0006 15280015 - ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never - card-no: 0006 15280015 - ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never - card-no: 0006 15280015 - gpg/card> quit - pub ed25519 2020-10-05 [SC] - A157C7E15F3D6C7445B40626B4A67FB911B1ED6B - uid Dummy - sub ed25519 2020-10-05 [A] - sub cv25519 2020-10-05 [E] - - $ ssh-add -L - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 - - $ mkdir sshca - $ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca - $ cat sshca/ca.pub - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA - $ ssh-add -L > sshca/id_ed25519.pub - $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub - Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever - $ mkdir ~/.ssh - $ cp sshca/id_ed25519-cert.pub ~/.ssh/ - $ ssh-keygen -Lf .ssh/id_ed25519-cert.pub - .ssh/id_ed25519-cert.pub: - Type: ssh-ed25519-cert-v01@openssh.com user certificate - Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM - Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519) - Key ID: "test-dummy" - Serial: 0 - Valid: forever - Principals: (none) - Critical Options: (none) - Extensions: - permit-X11-forwarding - permit-agent-forwarding - permit-port-forwarding - permit-pty - permit-user-rc +gpg/card> generate +Make off-card backup of encryption key? (Y/n) n + +Please note that the factory settings of the PINs are + PIN = '123456' Admin PIN = '12345678' +You should change them using the command --change-pin + +Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +Key is valid for? (0) +Key does not expire at all +Is this correct? (y/N) y + +GnuPG needs to construct a user ID to identify your key. + +Real name: Dummy +Email address: dummy@dummy.co +Comment: +You selected this USER-ID: + "Dummy " + +Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O +gpg: /home/user/.gnupg/trustdb.gpg: trustdb created +gpg: key B4A67FB911B1ED6B marked as ultimately trusted +gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created +gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/A157C7E15F3D6C7445B40626B4A67FB911B1ED6B.rev' +public and secret key created and signed. + +gpg/card> list + +Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 +Application ID ...: D2760001240103040006152800150000 +Application type .: OpenPGP +Version ..........: 3.4 +Manufacturer .....: Yubico +Serial number ....: 15280015 +Name of cardholder: [not set] +Language prefs ...: [not set] +Salutation .......: +URL of public key : [not set] +Login data .......: [not set] +Signature PIN ....: not forced +Key attributes ...: ed25519 cv25519 ed25519 +Max. PIN lengths .: 127 127 127 +PIN retry counter : 3 0 3 +Signature counter : 4 +KDF setting ......: off +Signature key ....: A157 C7E1 5F3D 6C74 45B4 0626 B4A6 7FB9 11B1 ED6B + created ....: 2020-10-05 09:45:47 +Encryption key....: 2B46 118B DEB3 4AAC 4951 63DE 286C 74DF 1104 5D46 + created ....: 2020-10-05 09:45:47 +Authentication key: FFE2 8767 DD98 CD3F 587A 19F9 B1B9 E836 16EF 39E7 + created ....: 2020-10-05 09:45:47 +General key info..: +pub ed25519/B4A67FB911B1ED6B 2020-10-05 Dummy +sec> ed25519/B4A67FB911B1ED6B created: 2020-10-05 expires: never + card-no: 0006 15280015 +ssb> ed25519/B1B9E83616EF39E7 created: 2020-10-05 expires: never + card-no: 0006 15280015 +ssb> cv25519/286C74DF11045D46 created: 2020-10-05 expires: never + card-no: 0006 15280015 +gpg/card> quit +pub ed25519 2020-10-05 [SC] + A157C7E15F3D6C7445B40626B4A67FB911B1ED6B +uid Dummy +sub ed25519 2020-10-05 [A] +sub cv25519 2020-10-05 [E] + +$ ssh-add -L +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 + +$ mkdir sshca +$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca +$ cat sshca/ca.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA +$ ssh-add -L > sshca/id_ed25519.pub +$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub +Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever +$ mkdir ~/.ssh +$ cp sshca/id_ed25519-cert.pub ~/.ssh/ +$ ssh-keygen -Lf .ssh/id_ed25519-cert.pub +.ssh/id_ed25519-cert.pub: + Type: ssh-ed25519-cert-v01@openssh.com user certificate + Public key: ED25519-CERT SHA256:fuoQ5RdcNRAj0VAyw/vqA584nNW2HMYNGk4NQEFjTSM + Signing CA: ED25519 SHA256:2PibPv047BiDZQgl51bKRnY2ZXpcbAP1g7GjAZ0DArI (using ssh-ed25519) + Key ID: "test-dummy" + Serial: 0 + Valid: forever + Principals: (none) + Critical Options: (none) + Extensions: + permit-X11-forwarding + permit-agent-forwarding + permit-port-forwarding + permit-pty + permit-user-rc