forked from sandstorm/Sandstorm.YubiKeyProvisioner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
OLD_BACKUP.txt
162 lines (102 loc) · 5.16 KB
/
OLD_BACKUP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# 1. disable OTP passwords when touching yubikey
brew install ykman
# insert yubikey into PC
# show available interfaces:
ykman mode
# enable all interfaces except OTP, e.g.:
ykman mode FIDO+CCID
# 2. re-insert yubikey; now when touching yubikey, nothing will happen
# (instead of OTP token being typed)
# 3. install ykpiv-ssh-agent-helper (also containing yubico-piv-tool) from
# https://github.com/sandstorm/ykpiv-ssh-agent-helper/releases
# 4. set management key to the company-wide management key
# which is found in team internal vault: "Yubikey Management Key"
/opt/yubico-piv-tool/bin/yubico-piv-tool -a set-mgm-key --touch-policy=always
#or
ykman piv change-management-key --touch
# 5. set PIN and PUK tries to 3. If asked for PIN, it is "123456" by default.
# while running this command, you have to TOUCH YOUR YUBIKEY
/opt/yubico-piv-tool/bin/yubico-piv-tool -a verify -a pin-retries --pin-retries 3 --puk-retries 3 -k
#or
ykman piv set-pin-retries 3 3
# 6. generate a new PUK and store it in your PERSONAL vault.
# Also store the Serial Number of your YubiKey
# A PUK must be 8 ASCII characters; alphanumeric characters are allowed!
# The default PUK (which is asked for) is "12345678"
/opt/yubico-piv-tool/bin/yubico-piv-tool -a change-puk
#or
ykman piv change-puk
# 7. generate a PIN and store it in the keychain.
# (optional) Store it in your PERSONAL vault
ykpiv-ssh-agent-helper --reset-pin
#or
ykman piv change-pin
# 8. generate private key on yubikey to be used for SSH
# while running this command, you have to TOUCH YOUR YUBIKEY.
#
# NOTE: we always require a touch for every key interaction!
# NOTE: We are NOT allowed to use --pin-policy=always, as this breaks ykpiv-ssh-agent-helper
/opt/yubico-piv-tool/bin/yubico-piv-tool -s 9a -a generate -o public.pem -k --touch-policy=always
# or
ykman piv generate-key --touch-policy CACHED --pin-policy ONCE 9a public.pem
# 9. generate self-signed certificate for that key
# while running this command, you have to TOUCH YOUR YUBIKEY.
#
# NOTE: we take an expiry time of 10 years; as we cannot change this later.
/opt/yubico-piv-tool/bin/yubico-piv-tool -a verify-pin -a selfsign-certificate \
-s 9a -S "/CN=SSH for FIRSTNAME LASTNAME/" -i public.pem -o cert.pem --valid-days=3650
#or
ykman piv generate-certificate -d 3650 -s "/CN=SSH for FIRSTNAME LASTNAME/" 9a public.pem
# 10. import the certificate again to the yubikey
# while running this command, you have to TOUCH YOUR YUBIKEY
/opt/yubico-piv-tool/bin/yubico-piv-tool -a import-certificate -s 9a -i cert.pem -k
# 11. extract public SSH key
# NOTE: shows the error "C_GetAttributeValue failed: 18"; can be ignored
echo `ssh-keygen -D /usr/local/lib/libykcs11.dylib -e` `whoami`@YubiKey > `whoami`.yubikey.pub
# 12. reload SSH agent helper
ykpiv-ssh-agent-helper -r
# 13. in the upcoming confirmation dialog, choose "Always allow" and
# confirm by entering your system password
# now start using the new public ssh key
# and register your YubiKey at auth.sandstorm.de
# for Firefox enable U2F support
Troubleshooting
Falls der Yubikey nach der Einrichtung nicht funktioniert (Fehler z.B. Access denied, public key):
# check that the yubikey ssh key is registered with ssh-agent
# (should show an ssh-rsa key ending with /usr/local/lib/libykcs11.dylib)
ssh-add -L
# add it if it is missing
# (use your YubiKey PIN as passphrase)
ssh-add -s /usr/local/lib/libykcs11.dylib
# if you get the error that "Could not add card "/usr/local/lib/libykcs11.dylib":
# agent refused operation"
# then kill the ssh-agent first
# !!! and unplug and replug your yubikey !!!
# reference: https://ruimarinho.gitbooks.io/yubikey-handbook/content/ssh/authenticating-ssh-with-piv-and-pkcs11-client/troubleshooting.html
# run the following command and retry to add the yubikey identity
pkill ssh-agent
Falls der YubiKey zwar da ist, aber trotzdem nicht funktioniert, könnte die PIN vom SSH–Agent in der KeyChain falsch sein.
# 1) probably fails due to blocked PIN (otherwise go to step 4)
ykpiv-ssh-agent-helper --reset-pin
# 2) unblock PIN and set to "123456"
/opt/yubico-piv-tool/bin/yubico-piv-tool -a unblock-pin
# 3) update PIN and KeyChain
ykpiv-ssh-agent-helper --reset-pin
# 4) restart agent (regardless of --help no PIN reset)
ykpiv-ssh-agent-helper -r
Falls der ssh-add nicht geht wegen agent refused operation, kann das an einer internen Whitelist liegen. Die Datei /usr/local/lib/opensc-pkcs11.so darf kein Symlink sein! Ansonsten löschen und durch Ziel ersetzen.
ls -l /usr/local/lib/opensc-pkcs11.so
Falls der YubiKey da ist und nicht funktioniert, kann dies daran liegen, dass der SSH-Agent keine Identitäten hat (ssh-add -L liefert The agent has no identities. als Antwort).
# 1) pkill ssh-agent
# 2) ykpiv-ssh-agent-helper -r
Bei erneuter Eingabe von ssh-add -L sollte ein langer SSH-RSA Hash als Antwort kommen.
Debugging Logs vom ssh-agent
# start ssh-agent in debugging mode
killall -KILL ssh-agent
ssh-agent -d
# export SSH_AUTH_SOCK in another terminal
# retry e.g. ssh-add
# read error log from prior console
OS X System Logs (very verbose)
# CMD + Space, "Console", Enter
# search for "ykpiv-ssh-agent-helper", "securityd" and "ssh-agent"