|
@ -11,8 +11,8 @@ Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is |
|
|
|
|
|
|
|
|
Let's make things clear : |
|
|
Let's make things clear : |
|
|
|
|
|
|
|
|
rm -R .gnupg |
|
|
|
|
|
rm -R .ssh |
|
|
|
|
|
|
|
|
$ rm -R .gnupg |
|
|
|
|
|
* rm -R .ssh |
|
|
$ ykman openpgp reset |
|
|
$ ykman openpgp reset |
|
|
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y |
|
|
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y |
|
|
Resetting OpenPGP data, don't remove your YubiKey... |
|
|
Resetting OpenPGP data, don't remove your YubiKey... |
|
@ -160,17 +160,15 @@ Good, let's start with key generation : |
|
|
sub ed25519 2020-10-05 [A] |
|
|
sub ed25519 2020-10-05 [A] |
|
|
sub cv25519 2020-10-05 [E] |
|
|
sub cv25519 2020-10-05 [E] |
|
|
|
|
|
|
|
|
|
|
|
$ ssh-add -L |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$ ssh-add -L |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015 |
|
|
|
|
|
|
|
|
|
|
|
$ mkdir sshca |
|
|
|
|
|
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca |
|
|
|
|
|
$ cat sshca/ca.pub |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA |
|
|
|
|
|
$ ssh-add -L > sshca/id_ed25519.pub |
|
|
|
|
|
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub |
|
|
|
|
|
|
|
|
$ mkdir sshca |
|
|
|
|
|
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca |
|
|
|
|
|
$ cat sshca/ca.pub |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA |
|
|
|
|
|
$ ssh-add -L > sshca/id_ed25519.pub |
|
|
|
|
|
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub |
|
|
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever |
|
|
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever |
|
|
$ mkdir ~/.ssh |
|
|
$ mkdir ~/.ssh |
|
|
$ cp sshca/id_ed25519-cert.pub ~/.ssh/ |
|
|
$ cp sshca/id_ed25519-cert.pub ~/.ssh/ |
|
@ -201,15 +199,15 @@ Note the line beginning with cert-authority which is not common. For reference, |
|
|
|
|
|
|
|
|
Now, try to login : |
|
|
Now, try to login : |
|
|
|
|
|
|
|
|
$ ssh root@server |
|
|
|
|
|
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation |
|
|
|
|
|
|
|
|
$ ssh root@server |
|
|
|
|
|
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation |
|
|
Password: |
|
|
Password: |
|
|
|
|
|
|
|
|
So we're completely out of luck : authentication doesn't works. |
|
|
So we're completely out of luck : authentication doesn't works. |
|
|
|
|
|
|
|
|
For comparison, let's try with an NIST P384 key : |
|
|
For comparison, let's try with an NIST P384 key : |
|
|
|
|
|
|
|
|
$ ykman openpgp reset |
|
|
|
|
|
|
|
|
$ ykman openpgp reset |
|
|
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y |
|
|
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y |
|
|
Resetting OpenPGP data, don't remove your YubiKey... |
|
|
Resetting OpenPGP data, don't remove your YubiKey... |
|
|
Success! All data has been cleared and default PINs are set. |
|
|
Success! All data has been cleared and default PINs are set. |
|
|