diff --git a/README.md b/README.md index fdc98a1..930baeb 100644 --- a/README.md +++ b/README.md @@ -129,9 +129,69 @@ YubiKey. # SSH -## Master Yubikey +## Master YubiKey -I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create certificate in slot 9c of the PIV function with ECCP384 for 10 years (like GPG). +I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create a certificate in slot 9c of +the PIV function with ECCP384 for 10 years (like GPG). + +I change PIN for PIV in Yubico authentificator GUI. It's also possible to do it with `ykman piv access`. + +### Generate a private key for the CA +Management Key is requested + +```bash +ykman piv keys generate --algorithm ECCP384 9c public-ca.pem +``` + +### Generate a self-signed certificate for the CA +PIN is requested +```bash +ykman piv certificates generate --subject "CN=SSH CA Klagarge" --valid-days 3650 9c public-ca.pem +``` + +### Export and add on server +Convert to a standard public key +```bash +ssh-keygen -i -m PKCS8 -f public-ca.pem > ssh_ca_master.pub +``` +`ssh_ca_master.pub` is the public key to put on the server. + +For my use case, I want only 1 user with this method, so, I add a line in the `~/.ssh/authorized_keys` file of the +user with the option `cert-authority` to allow this CA to sign SSH key for authentication. +```bash +cert-authority ecdsa-sha2-nistp384 ... +``` + +For global use, you can add the following line in `/etc/ssh/sshd_config` of the server after copying the public key +in `/etc/ssh/ssh_ca_master.pub` on the server. +```bash +TrustedUserCAKeys /etc/ssh/ssh_ca_master.pub +``` +Restart sshd when done with: `sudo systemctl restart sshd` + +## Child Keys + +### Create an SSH key +Disconnect YubiKey Master and connect YubiKey Keyring (or YubiKey Laptop, but commands need to be adapted). +Create a key with options +```bash +ssh-keygen -t ed25519-sk -O resident -O application=ssh:Klagarge-Keyring -C "YubiKey Keyring" -f ~/.ssh/id_ed25519_sk-keyring +``` + +- `id_ed25519_sk-keyring` is the private key that stay on the YubiKey (it's a pointer to the key on the YubiKey) +- `id_ed25519_sk-keyring.pub` is the standard public key that can be shared and used to sign with the CA + +### Sign it with the CA +Now disconnect YubiKey Keyring and connect YubiKey Master to sign the public key with the CA +```bash +ssh-keygen -D /usr/lib64/libykcs11.so.2 \ + -s ssh_ca_master.pub \ + -I "Klagarge-Keyring-2026" \ + -n remi,root,Klagarge,her \ + -V +365d \ + ~/.ssh/id_ed25519_sk-keyring.pub +``` +This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication. ---