feat(ssh): add ssh section
This commit is contained in:
64
README.md
64
README.md
@@ -129,9 +129,69 @@ YubiKey.
|
||||
|
||||
# SSH
|
||||
|
||||
## Master Yubikey
|
||||
## Master YubiKey
|
||||
|
||||
I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create certificate in slot 9c of the PIV function with ECCP384 for 10 years (like GPG).
|
||||
I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create a certificate in slot 9c of
|
||||
the PIV function with ECCP384 for 10 years (like GPG).
|
||||
|
||||
I change PIN for PIV in Yubico authentificator GUI. It's also possible to do it with `ykman piv access`.
|
||||
|
||||
### Generate a private key for the CA
|
||||
Management Key is requested
|
||||
|
||||
```bash
|
||||
ykman piv keys generate --algorithm ECCP384 9c public-ca.pem
|
||||
```
|
||||
|
||||
### Generate a self-signed certificate for the CA
|
||||
PIN is requested
|
||||
```bash
|
||||
ykman piv certificates generate --subject "CN=SSH CA Klagarge" --valid-days 3650 9c public-ca.pem
|
||||
```
|
||||
|
||||
### Export and add on server
|
||||
Convert to a standard public key
|
||||
```bash
|
||||
ssh-keygen -i -m PKCS8 -f public-ca.pem > ssh_ca_master.pub
|
||||
```
|
||||
`ssh_ca_master.pub` is the public key to put on the server.
|
||||
|
||||
For my use case, I want only 1 user with this method, so, I add a line in the `~/.ssh/authorized_keys` file of the
|
||||
user with the option `cert-authority` to allow this CA to sign SSH key for authentication.
|
||||
```bash
|
||||
cert-authority ecdsa-sha2-nistp384 ...
|
||||
```
|
||||
|
||||
For global use, you can add the following line in `/etc/ssh/sshd_config` of the server after copying the public key
|
||||
in `/etc/ssh/ssh_ca_master.pub` on the server.
|
||||
```bash
|
||||
TrustedUserCAKeys /etc/ssh/ssh_ca_master.pub
|
||||
```
|
||||
Restart sshd when done with: `sudo systemctl restart sshd`
|
||||
|
||||
## Child Keys
|
||||
|
||||
### Create an SSH key
|
||||
Disconnect YubiKey Master and connect YubiKey Keyring (or YubiKey Laptop, but commands need to be adapted).
|
||||
Create a key with options
|
||||
```bash
|
||||
ssh-keygen -t ed25519-sk -O resident -O application=ssh:Klagarge-Keyring -C "YubiKey Keyring" -f ~/.ssh/id_ed25519_sk-keyring
|
||||
```
|
||||
|
||||
- `id_ed25519_sk-keyring` is the private key that stay on the YubiKey (it's a pointer to the key on the YubiKey)
|
||||
- `id_ed25519_sk-keyring.pub` is the standard public key that can be shared and used to sign with the CA
|
||||
|
||||
### Sign it with the CA
|
||||
Now disconnect YubiKey Keyring and connect YubiKey Master to sign the public key with the CA
|
||||
```bash
|
||||
ssh-keygen -D /usr/lib64/libykcs11.so.2 \
|
||||
-s ssh_ca_master.pub \
|
||||
-I "Klagarge-Keyring-2026" \
|
||||
-n remi,root,Klagarge,her \
|
||||
-V +365d \
|
||||
~/.ssh/id_ed25519_sk-keyring.pub
|
||||
```
|
||||
This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user