Nastavenie Yubikey na SSH v Linux-e

Jak nastavit Yubikey pod Linux, a rozbehat s SSH.

# YUBICO
# https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu
sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt install yubikey-manager
sudo apt install yubikey-personalization-gui
sudo apt install yubico-piv-tool
sudo apt install libpam-yubico
sudo apt install libpam-u2f
# check service
sudo systemctl start pcscd
sudo systemctl enable pcscd
systemctl status pcscd
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To get yubikey-manager-qt for Ubuntu 20.04/20.10 follow steps (you will have to
build it yourself):
git clone https://github.com/Yubico/yubikey-manager-qt
cd yubikey-manager-qt
sudo apt install devscripts equivs
sudo mk-build-deps --install --tool=apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes debian/control
fakeroot debian/rules binary
sudo apt install ../yubikey-manager-qt_1.1.5_amd64.deb
# result
/usr/bin/ykman-gui
# currently not working!
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ykman info
Device type: YubiKey 5 Nano
Serial number: 12505402
Firmware version: 5.2.7
Form factor: Nano (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
Applications
FIDO2 Enabled
OTP Enabled
FIDO U2F Enabled
OATH Enabled
YubiHSM Auth Not available
OpenPGP Enabled
PIV Enabled
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
The default PIN code is 123456. The default PUK code is 12345678.
The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.
# Management key
key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d [:lower:] | tr -cd [:xdigit:] | fold -w48 | head -1)
echo ${key}
yubico-piv-tool -aset-mgm-key -n${key}
1234567890ASDFASDFASDFASDFASDFASDFASDFASDFASDFAS
# PIN and PUK
pin=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd [:digit:] | fold -w6 | head -1)
echo ${pin}
puk=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd [:digit:] | fold -w8 | head -1)
echo ${puk}
yubico-piv-tool -achange-pin -P123456 -N${pin}
yubico-piv-tool -achange-puk -P12345678 -N${puk}
111111
22222222
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# check
ls /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
# or locate opensc-pkcs11.so
# if not installed
sudo apt install opensc-pkcs11
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
# Generate private key
# wiki: --touch-policy=never; ? --touch-policy=cached
yubico-piv-tool -s 9a -a generate -o yubi_public.pem -A RSA2048 -S /CN=p@aaa.com/ --pin-policy=once --touch-policy=never -k
# Generate certificate
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key p@aaa.co/" -i yubi_public.pem -o yubi_cert.pem
# Import the certificate to "SSH slot"
yubico-piv-tool -a import-certificate -s 9a -i yubi_cert.pem -k
# export public SSH key
ssh-keygen -D /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# ssh-agent tips:
#ssh-agent script
#!/bin/sh
#export SSH_ASKPASS=/usr/bin/ksshaskpass
export SSH_ASKPASS=/usr/bin/ssh-askpass
/usr/bin/ssh-add ${HOME}/.ssh/id_rsa /usr/bin/ssh-add -e /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so /usr/bin/ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=