Browse Source

Ident fixes

pull/1/head
Julien Escario 4 years ago
parent
commit
6122fec3c7
  1. 28
      ssh/yubibug.md

28
ssh/yubibug.md

@ -11,8 +11,8 @@ Let's try it. For this demo, I'll let the Yubikey generate GnuPG's keys. This is
Let's make things clear : Let's make things clear :
rm -R .gnupg
rm -R .ssh
$ rm -R .gnupg
* rm -R .ssh
$ ykman openpgp reset $ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey... Resetting OpenPGP data, don't remove your YubiKey...
@ -160,17 +160,15 @@ Good, let's start with key generation :
sub ed25519 2020-10-05 [A] sub ed25519 2020-10-05 [A]
sub cv25519 2020-10-05 [E] sub cv25519 2020-10-05 [E]
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzO7860chQPMw0NuLDhBqZd1IcfIqBnvy4GSbzZd4vu cardno:000615280015
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
$ mkdir sshca
$ ssh-keygen -t ed25519 -N '' -C 'Test CA' -f sshca/ca
$ cat sshca/ca.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAL7l1sQuKe4daLfKGZuiRPZZXquokQyH+p6utlZxZ+ Test CA
$ ssh-add -L > sshca/id_ed25519.pub
$ ssh-keygen -s sshca/ca -I test-dummy sshca/id_ed25519.pub
Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever Signed user key sshca/id_ed25519-cert.pub: id "test-dummy" serial 0 valid forever
$ mkdir ~/.ssh $ mkdir ~/.ssh
$ cp sshca/id_ed25519-cert.pub ~/.ssh/ $ cp sshca/id_ed25519-cert.pub ~/.ssh/
@ -201,15 +199,15 @@ Note the line beginning with cert-authority which is not common. For reference,
Now, try to login : Now, try to login :
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
$ ssh root@server
sign_and_send_pubkey: signing failed for ED25519 "cardno:000615280015": agent refused operation
Password: Password:
So we're completely out of luck : authentication doesn't works. So we're completely out of luck : authentication doesn't works.
For comparison, let's try with an NIST P384 key : For comparison, let's try with an NIST P384 key :
$ ykman openpgp reset
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey... Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set. Success! All data has been cleared and default PINs are set.

Loading…
Cancel
Save