altinea
/
install-scripts
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Ident fixes

pull/1/head
Julien Escario 4 years ago
parent
31b1144db6
commit
6122fec3c7
1 changed files with 14 additions and 16 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      ssh/yubibug.md

30
ssh/yubibug.md
View File

@ -11,8 +11,8 @@ Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is
Let's make things clear : Let's make things clear :
rm -R .gnupg
rm -R .ssh
$ rm -R .gnupg
* rm -R .ssh
$ ykman openpgp reset $ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey... Resetting OpenPGP data, don't remove your YubiKey...
@ -160,17 +160,15 @@ Good, let's start with key generation :
sub ed25519 2020-10-05 [A] sub ed25519 2020-10-05 [A]
sub cv25519 2020-10-05 [E] sub cv25519 2020-10-05 [E]
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
$ mkdir ~/.ssh $ mkdir ~/.ssh
$ cp sshca/id_ed25519-cert.pub ~/.ssh/ $ cp sshca/id_ed25519-cert.pub ~/.ssh/
@ -201,15 +199,15 @@ Note the line beginning with cert-authority which is not common. For reference,
Now, try to login : Now, try to login :
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password: Password:
So we're completely out of luck : authentication doesn't works. So we're completely out of luck : authentication doesn't works.
For comparison, let's try with an NIST P384 key : For comparison, let's try with an NIST P384 key :
$ ykman openpgp reset
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey... Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set. Success! All data has been cleared and default PINs are set.
@ -378,4 +376,4 @@ For comparison, let's try with an NIST P384 key :
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64) Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
root@server:~# root@server:~#
**Authentication is working as expected here !**
**Authentication is working as expected here !**
Write Preview
Loading…
Cancel
Save