Yubikey Setup for SSH¶
Overview¶
The Yubikey is a hardware authentication device that when combined with the PKCS#11 module allows external applications to communicate with the PIV application running on a YubiKey.
We can use the Yubikey and the PKCS#11 module to authenticate via SSH to servers. Having the key stored on the Yubikey as opposed to the computer prevents the key from being stolen. Additionally, when we change to a new computer, we don't need to re-generate the SSH key.
We'll set the pin of the Yubikey which will follow the two factor principle of "Something we have" (Yubikey) and "something we know" (the pin). After the pin is set we will generate a certificate with a touch policy that requires the user to be present at the time of the request, self-sign that certificate, and finally import the certificate onto the Yubikey.
There are only two things required for the client machine to authenticate using the Yubikey:
- The opensc package
- A single line added to the /etc/ssh_config file
Once setup, the only configuration required on the server is the public SSH key added to the .ssh/authorized_keys file.
Setting Up The Yubikey¶
Step 1. Install the OpenSC Agent
Step 2. Add the repository for the Yubico Software
Step 3. Install the PIV tool which we will later use to provision the Yubikey
Step 4. Use the PIV tool to change the pin from the default '123456' to a pin of your choice. "Pins" are not limited to numbers. You can use a secure password to increase security.
Step 5. Generate a certificate
Step 6. Self Sign the Certificate
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem
Step 7. Import the self-signed certificate
Setting Up Your SSH Client To Work with a Yubikey¶
Step 1. Add the PKCS#11 provider to the '''ssh_config''' file
Step 2. Display the SSH Public key to be stored in the authorized_keys file on remote servers