Metainformationen zur Seite
ssh key auf yubikey - openpgp auf yubikey
Quellen: * Freifunk-Gera * https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html * http://blog.rchapman.org/posts/Import_an_existing_ssh_key_into_Yubikey_NEO_applet
#tools installieren sudo apt-get install yubikey-personalization yubico-piv-tool opensc pcscd # pacman -Ss gnupg yubikey-personalization pcsc-tools gnupg-pkcs11-scd #arch AUR # download https://aur.archlinux.org/packages/yubico-piv-tool # makepkg -si --skippgpcheck # sudo pacman -S opensc # yubikey einstellen ykpersonalize -m82 #tempdir für schlüssel mkdir ~/tmp_key cd ~/tmp_key #ssh keys generieren # kann nur 2048 (https://github.com/Yubico/yubico-piv-tool/issues/58) ssh-keygen -t rsa -b 2048 -f id_rsa openssl rsa -in id_rsa -out id_rsa.pem -outform pem # Fehler Failed to load key id_rsa: invalid format #workarround: ssh-keygen -p -m PEM -f id_rsa #https://stackoverflow.com/q/55922319 #import key yubico-piv-tool -a import-key -s 9a -i id_rsa.pem #Successfully imported a new private key. #selfsight cert mit standart PIN erstellen ssh-keygen -e -f id_rsa.pub -m PKCS8 > id_rsa.pub.pkcs8 yubico-piv-tool -a verify -P 123456 -a selfsign-certificate -s 9a -S "/CN=joe/O=Test/" -i id_rsa.pub.pkcs8 -o 9a-cert.pem Successfully verified PIN. Successfully generated a new self signed certificate. #cert importieren yubico-piv-tool -a verify -P 123456 -a import-certificate -s 9a -i 9a-cert.pem Successfully verified PIN. Successfully imported a new certificate. #test yubico-piv-tool -a status Version: Serial Number: CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: CN=joe, O=Test Issuer DN: CN=joe, O=Test Fingerprint: xxx Not Before: Feb 8 19:28:41 2021 GMT Not After: Feb 8 19:28:41 2022 GMT PIN tries left: 3 # Pinversuche einstellen unset HISTFILE yubico-piv-tool -a verify -P 123456 -a pin-retries --pin-retries 15 --puk-retries 15 # Pin ändern yubico-piv-tool -a change-pin --pin 123456 --new-pin=987600 # PUK ändern yubico-piv-tool -a change-puk --pin 12345678 --new-pin=98761234
ssh yubikey mit scp / sshfs nutzen
scp -P <port> -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/libykcs11.so.2 <file-to-copy> user@host:/home/user/ sshfs user@<host>:/home/user/ /home/user2/mooh/ -p <port> -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/libykcs11.so.2 ssh user@host -I /usr/lib/x86_64-linux-gnu/libykcs11.so -p <port>
openpgp
einrichten
https://github.com/drduh/YubiKey-Guide#debian-and-ubuntu
#tools installieren sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization gpgp erkennt stick nicht: * https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG * https://mutschler.eu/linux/install-guides/fedora-post-install/#yubikey-private-gpg-key yubico-piv-tool -a status Failed to connect to yubikey. Try removing and reconnecting the device. -->https://github.com/Yubico/yubico-piv-tool/issues/180 --> stop pscd
ssh
https://github.com/drduh/YubiKey-Guide#create-configuration
#conf erstellen mkdir ~/.gnupg #vim gpg-agent.conf enable-ssh-support default-cache-ttl 60 pinentry-program /usr/bin/pinentry-curses
https://github.com/drduh/YubiKey-Guide#replace-agents
#agent einrichten export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent
openvpn key mit yubikey
gpg -d -a <encd-keyfiley> |sudo openvpn /dev/stdin sudo systemd-tty-ask-password-agent