Browse Source

Ident fixes

pull/1/head
Julien Escario 4 years ago
parent
commit
6122fec3c7
  1. 30
      ssh/yubibug.md

30
ssh/yubibug.md

@ -11,8 +11,8 @@ Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is
Let's make things clear :
rm -R .gnupg
rm -R .ssh
$ rm -R .gnupg
* rm -R .ssh
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
@ -160,17 +160,15 @@ Good, let's start with key generation :
sub ed25519 2020-10-05 [A]
sub cv25519 2020-10-05 [E]
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
$ mkdir ~/.ssh
$ cp sshca/id_ed25519-cert.pub ~/.ssh/
@ -201,15 +199,15 @@ Note the line beginning with cert-authority which is not common. For reference,
Now, try to login :
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password:
So we're completely out of luck : authentication doesn't works.
For comparison, let's try with an NIST P384 key :
$ ykman openpgp reset
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set.
@ -378,4 +376,4 @@ For comparison, let's try with an NIST P384 key :
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
root@server:~#
**Authentication is working as expected here !**
**Authentication is working as expected here !**
Loading…
Cancel
Save