From 6122fec3c7364906456e1e0e6e838f5a909d47db Mon Sep 17 00:00:00 2001 From: Julien Escario Date: Mon, 5 Oct 2020 12:46:45 +0200 Subject: [PATCH] Ident fixes --- ssh/yubibug.md | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/ssh/yubibug.md b/ssh/yubibug.md index 9e29093..ba75120 100644 --- a/ssh/yubibug.md +++ b/ssh/yubibug.md @@ -11,8 +11,8 @@ Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is Let's make things clear : - rm -R .gnupg - rm -R .ssh + $ rm -R .gnupg + * rm -R .ssh $ ykman openpgp reset WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y Resetting OpenPGP data, don't remove your YubiKey... @@ -160,17 +160,15 @@ Good, let's start with key generation : sub ed25519 2020-10-05 [A] sub cv25519 2020-10-05 [E] + $ ssh-add -L + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 - - $ ssh-add -L - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 - - $ mkdir sshca - $ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca - $ cat sshca/ca.pub - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA - $ ssh-add -L > sshca/id_ed25519.pub - $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub + $ mkdir sshca + $ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca + $ cat sshca/ca.pub + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA + $ ssh-add -L > sshca/id_ed25519.pub + $ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever $ mkdir ~/.ssh $ cp sshca/id_ed25519-cert.pub ~/.ssh/ @@ -201,15 +199,15 @@ Note the line beginning with cert-authority which is not common. For reference, Now, try to login : - $ ssh root@server - sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation + $ ssh root@server + sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation Password: So we're completely out of luck : authentication doesn't works. For comparison, let's try with an NIST P384 key : - $ ykman openpgp reset + $ ykman openpgp reset WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y Resetting OpenPGP data, don't remove your YubiKey... Success! All data has been cleared and default PINs are set. @@ -378,4 +376,4 @@ For comparison, let's try with an NIST P384 key : Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64) root@server:~# -**Authentication is working as expected here !** +**Authentication is working as expected here !**