ssh key auf yubikey - openpgp auf yubikey

Quellen: * Freifunk-Gera * https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html * http://blog.rchapman.org/posts/Import_an_existing_ssh_key_into_Yubikey_NEO_applet

#tools installieren
sudo apt-get install yubikey-personalization yubico-piv-tool opensc pcscd
 
# pacman -Ss gnupg yubikey-personalization pcsc-tools gnupg-pkcs11-scd  
#arch AUR 
# download https://aur.archlinux.org/packages/yubico-piv-tool
# makepkg -si --skippgpcheck
# sudo pacman -S opensc
 
# yubikey einstellen
ykpersonalize -m82
 
#tempdir für schlüssel
mkdir ~/tmp_key
cd ~/tmp_key
 
#ssh keys generieren
# kann nur 2048 (https://github.com/Yubico/yubico-piv-tool/issues/58)
ssh-keygen -t rsa -b 2048 -f id_rsa
 
openssl rsa -in id_rsa -out id_rsa.pem -outform pem
# Fehler
Failed to load key id_rsa: invalid format
 
#workarround:
ssh-keygen -p -m PEM -f id_rsa
#https://stackoverflow.com/q/55922319
 
#import key
yubico-piv-tool -a import-key -s 9a -i id_rsa.pem
#Successfully imported a new private key.
 
#selfsight cert mit standart PIN erstellen
ssh-keygen -e -f id_rsa.pub -m PKCS8 > id_rsa.pub.pkcs8
yubico-piv-tool -a verify -P 123456 -a selfsign-certificate -s 9a -S "/CN=joe/O=Test/" -i id_rsa.pub.pkcs8 -o 9a-cert.pem
Successfully verified PIN.
Successfully generated a new self signed certificate.
 
#cert importieren
yubico-piv-tool -a verify -P 123456 -a import-certificate -s 9a -i 9a-cert.pem
Successfully verified PIN.
Successfully imported a new certificate.
 
#test
yubico-piv-tool -a status
Version:        
Serial Number:  
CHUID:  No data available
CCC:    No data available
Slot 9a:
        Algorithm:      RSA2048
        Subject DN:     CN=joe, O=Test
        Issuer DN:      CN=joe, O=Test
        Fingerprint:    xxx
        Not Before:     Feb  8 19:28:41 2021 GMT
        Not After:      Feb  8 19:28:41 2022 GMT
PIN tries left: 3
 
 
# Pinversuche einstellen
unset HISTFILE
yubico-piv-tool -a verify -P 123456 -a pin-retries --pin-retries 15 --puk-retries 15
 
# Pin ändern
yubico-piv-tool -a change-pin --pin 123456 --new-pin=987600
 
# PUK ändern
yubico-piv-tool -a change-puk --pin 12345678 --new-pin=98761234

ssh yubikey mit scp / sshfs nutzen

scp -P <port> -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/libykcs11.so.2 <file-to-copy> user@host:/home/user/

sshfs user@<host>:/home/user/ /home/user2/mooh/ -p <port> -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/libykcs11.so.2

ssh user@host -I /usr/lib/x86_64-linux-gnu/libykcs11.so -p <port>

openpgp

einrichten

https://github.com/drduh/YubiKey-Guide#debian-and-ubuntu

#tools installieren
sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization

gpgp erkennt stick nicht:
  * https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG
  * https://mutschler.eu/linux/install-guides/fedora-post-install/#yubikey-private-gpg-key


yubico-piv-tool -a status                                                                                                                                                                       
Failed to connect to yubikey.
Try removing and reconnecting the device.
-->https://github.com/Yubico/yubico-piv-tool/issues/180
--> stop pscd

ssh

https://github.com/drduh/YubiKey-Guide#create-configuration

#conf erstellen
mkdir ~/.gnupg
 
#vim gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
pinentry-program /usr/bin/pinentry-curses

https://github.com/drduh/YubiKey-Guide#replace-agents

#agent einrichten
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

openvpn key mit yubikey

gpg -d -a <encd-keyfiley> |sudo openvpn /dev/stdin
sudo systemd-tty-ask-password-agent