Notes to myself about YubiKeys

There are three ways to use a YubiKey as an SSH key.

• OpenPGP - this is fairly reliable, and can even be used from an Android phone using TermBot. Under Linux, gpg-agent needs to be used instead of ssh-agent. Some notes later about using this in parallel to ssh-agent.
• FIDO - As of OpenSSHd 8.2, "security key" keys are also supported. These are suffixed with "sk" and require server support. Their implementation effectively ensures 2FA.
• PIV - Using a custom PKCS11 extension for ssh-agent.

Interoperability

OpenPGP keys are accessed through an emulated CCID interface. If you are using GPG anyway, it makes sense to make an RSA 2048 key on your YubiKey. FIDO keys aren't quit there yet in terms of support - event CentOS 8 Stream doesn't include a version of OpenSSH newer than 8.2 yet.

An ECDSA PIV key can be accessed both via the PKCS11 or the OpenPGP API interface, which may make them one of the better choices.

Generating keys

1. OpenPGP

   $ gpg --card-edit
   gpg/card> key-attr
   Changing card key attribute for: Signature key
   Please select what kind of key you want:
      (1) RSA
      (2) ECC
   Your selection? 1
   What keysize do you want? (2048) 4096
   The card will now be re-configured to generate a key of 4096 bits
   gpg/card> generate
   ...
   

2. FIDO2

   $ ssh-keygen -t ed25519-sk
   ...
   

3. PIV

   $ ykman piv keys generate -a ECCP384 --touch-policy never 9a public.pem
   $ ykman piv certificates generate -s "SSH Key" -d $(( 365 * 5 )) -a SHA512 9a public.pem
   

   You can set the touch-policy to always if you want but this will get annoying if yo are running things like Ansible playbooks across a number of hosts.

   Note: As of version 2.3.0 of yubico-piv-tool / libykcs11, PIV authentication via NFC should just work! Which is awesome because my key's contacts were wearing out 😅.

Using the keys

In order to allow me to easily switch between gpg-agent and ssh-agent, I have the following my my .bashrc file.

function g () {
    # this function overloads the SSH_AUTH_SOCK, setting it to use
    # gpg-agent rather than the default ssh-agent.
    SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) $@
}

# XFCE starts an ssh-agent automatically, with its address in /tmp,
# but for some reason this prevents PIV PKCS11 plugins from being
# loaded.
[ ! -S $HOME/.ssh/ssh-agent ] && eval $(ssh-agent -a $HOME/.ssh/ssh-agent)
export SSH_AUTH_SOCK=$HOME/.ssh/ssh-agent

function piv () {
    ssh-add -e /usr/lib64/libykcs11.so 2> /dev/null
    ssh-add -s /usr/lib64/libykcs11.so
}

gpgconf --launch gpg-agent

If you decided to use FIDO, you can pull those keys in with

$ ssh-add -K

My YubiKey has been setup with OpenPGP, FIDO and PIV keys. Example:

[aaron@carbon ~]$ g ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN7w0golW9xPJ63M7LutyxOYEPoNYPC7KOgkfiAKsSxgjFWCRpvhbWJyP8D3QiZaqf7fnyQsFEzlSx4a+IyER7wAV2/rsseJcsvhxbH/dE8o72sxFpGN6N1jqpVdvKyiqR20g0r+OOdO07eSnZ06tG51FJUbqVSMGOEh7T8g8wwMZ6g+FAxN4Csih8ov9OGyksHv1AH/Movx9d/EzHrekM/gu2i4/rwQSFydZXLXF99rJVbnTNFOs0FmrQC3Xv2BpyxG/AW8RpaIA4lbxIYEPgx0gk5OEehrO1AkSjzXK7HL2qApxn8CJv5oKMCV2iAZrO92ccjNdt8V7OIOg/tCgF cardno:16 134 538
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJNyvJg5DxGRdhRmvN2amr8bhcBlH0Km8VbbPxYXfoUp2YfxTlRsZZDdwru3SXcS6GKr5bjLIA7+v5qiTRJS8pwzdfNfO7K4jbTaM+IWb7NCU+H51DM8LFptLUylLLG3hw== cardno:16 134 538
[aaron@carbon ~]$
[aaron@carbon ~]$ ssh-add -L
The agent has no identities.
[aaron@carbon ~]$ ssh-add -K
Enter PIN for authenticator:
Resident identity added: ED25519-SK SHA256:zSOC7nGCvJ6weSUvzIl1HXcRW1qI5lpH+JD6pzTT/HM
[aaron@carbon ~]$ ssh-add -L
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIN/J6zLB7iDWi71aD9Gx9xlCUKCyk7Bl6qR+ZJKQCxHsAAAABHNzaDo=
[aaron@carbon ~]$
[aaron@carbon ~]$ piv
Enter passphrase for PKCS#11:
Card added: /usr/lib64/libykcs11.so
[aaron@carbon ~]$ ssh-add -L
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIN/J6zLB7iDWi71aD9Gx9xlCUKCyk7Bl6qR+ZJKQCxHsAAAABHNzaDo=
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJNyvJg5DxGRdhRmvN2amr8bhcBlH0Km8VbbPxYXfoUp2YfxTlRsZZDdwru3SXcS6GKr5bjLIA7+v5qiTRJS8pwzdfNfO7K4jbTaM+IWb7NCU+H51DM8LFptLUylLLG3hw== Public key for PIV Authentication
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTN0lYaeRosTxFv5M/uJJ9+ElX1IkSnYx7hBx9WJ2AerIh2jSWu4GTr1EXWeuZLeL4bXLJSH/KYA9mRxAKmazQTbcOaG57VVGkF51yxW07/FKt+7SoBZOyWn+TnuvLq+SJ2tBTVzGXYqh0fcpOadmZqyRAPx4a3FfByYs6aEp6boZKqE3/dDOdoOFmZVQC9QpI5ojM7Gfa7WYMeEbBoeFHt2SWwPA3uieLhZZfUYle3OkHyPomGirKpfBJur5yTng9/NSg4V3/bIrIVENedC/Ns0vv5p9vEFBAzHGjV7bgM0T9yn4rT15PsaHVStqjqZ5pKyw3hpUV+aSELY1qkYox Public key for PIV Attestation
[aaron@carbon ~]$

Notice that the ecdsa key is accessible via both PIV and GPG. This is my preferred key, but I tend to add the RSA key also. The attestation RSA key is not suitable for SSH authentication (as far as I know).

Related posts:

• Going a bit crazy with Home Assistant and Zigbee
• Work In Progress - Rewiring my home network 😲
• Dynamic DNS Updates with Terraform
• Migrating a Virtual Machine from Scaleway to Proxmox
• Slurm and Hardware Accelerated OpenGL

Tags: computing