feat(ssh): add ssh section
This commit is contained in:
64
README.md
64
README.md
@@ -129,9 +129,69 @@ YubiKey.
|
|||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
|
|
||||||
## Master Yubikey
|
## Master YubiKey
|
||||||
|
|
||||||
I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create certificate in slot 9c of the PIV function with ECCP384 for 10 years (like GPG).
|
I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create a certificate in slot 9c of
|
||||||
|
the PIV function with ECCP384 for 10 years (like GPG).
|
||||||
|
|
||||||
|
I change PIN for PIV in Yubico authentificator GUI. It's also possible to do it with `ykman piv access`.
|
||||||
|
|
||||||
|
### Generate a private key for the CA
|
||||||
|
Management Key is requested
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ykman piv keys generate --algorithm ECCP384 9c public-ca.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
### Generate a self-signed certificate for the CA
|
||||||
|
PIN is requested
|
||||||
|
```bash
|
||||||
|
ykman piv certificates generate --subject "CN=SSH CA Klagarge" --valid-days 3650 9c public-ca.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
### Export and add on server
|
||||||
|
Convert to a standard public key
|
||||||
|
```bash
|
||||||
|
ssh-keygen -i -m PKCS8 -f public-ca.pem > ssh_ca_master.pub
|
||||||
|
```
|
||||||
|
`ssh_ca_master.pub` is the public key to put on the server.
|
||||||
|
|
||||||
|
For my use case, I want only 1 user with this method, so, I add a line in the `~/.ssh/authorized_keys` file of the
|
||||||
|
user with the option `cert-authority` to allow this CA to sign SSH key for authentication.
|
||||||
|
```bash
|
||||||
|
cert-authority ecdsa-sha2-nistp384 ...
|
||||||
|
```
|
||||||
|
|
||||||
|
For global use, you can add the following line in `/etc/ssh/sshd_config` of the server after copying the public key
|
||||||
|
in `/etc/ssh/ssh_ca_master.pub` on the server.
|
||||||
|
```bash
|
||||||
|
TrustedUserCAKeys /etc/ssh/ssh_ca_master.pub
|
||||||
|
```
|
||||||
|
Restart sshd when done with: `sudo systemctl restart sshd`
|
||||||
|
|
||||||
|
## Child Keys
|
||||||
|
|
||||||
|
### Create an SSH key
|
||||||
|
Disconnect YubiKey Master and connect YubiKey Keyring (or YubiKey Laptop, but commands need to be adapted).
|
||||||
|
Create a key with options
|
||||||
|
```bash
|
||||||
|
ssh-keygen -t ed25519-sk -O resident -O application=ssh:Klagarge-Keyring -C "YubiKey Keyring" -f ~/.ssh/id_ed25519_sk-keyring
|
||||||
|
```
|
||||||
|
|
||||||
|
- `id_ed25519_sk-keyring` is the private key that stay on the YubiKey (it's a pointer to the key on the YubiKey)
|
||||||
|
- `id_ed25519_sk-keyring.pub` is the standard public key that can be shared and used to sign with the CA
|
||||||
|
|
||||||
|
### Sign it with the CA
|
||||||
|
Now disconnect YubiKey Keyring and connect YubiKey Master to sign the public key with the CA
|
||||||
|
```bash
|
||||||
|
ssh-keygen -D /usr/lib64/libykcs11.so.2 \
|
||||||
|
-s ssh_ca_master.pub \
|
||||||
|
-I "Klagarge-Keyring-2026" \
|
||||||
|
-n remi,root,Klagarge,her \
|
||||||
|
-V +365d \
|
||||||
|
~/.ssh/id_ed25519_sk-keyring.pub
|
||||||
|
```
|
||||||
|
This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user