Privileged access using Yubikeys
yubico-piv-tool is needed initially to setup your yubico device. yubico-piv-tool is available with most Linux distributions. It is included in EPEL on RHEL systems. You can also download it using the below link.
https://developers.yubico.com/yubico-piv-tool/Releases/
1. Change PIN
The PIN must be between 6 and 8 characters long, and it can be any type of alphanumeric character.
The default PIN code is 123456.It is important that the default PIN code is changed.
yubico-piv-tool -a change-pin2. Change PUK
The PUK must be between 6 and 8 characters long, and it can be any type of alphanumeric character.
The default PUK code is 12345678. It is important that the default PUK code is changed.
yubico-piv-tool -a change-puk 3. Change Management Key
The default management key is 010203040506070801020304050607080102030405060708.
key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)
echo ${key}
yubico-piv-tool -aset-mgm-key -k4. Generate Keys
yubico-piv-tool -a generate -a verify-pin -a selfsign -a import-certificate -s 9a -k -A RSA2048 --valid-days=3650 -S "/CN=piv_auth/OU=yubikey/O=bnl.gov/" --pin-policy="once"5. Export SSH public key
yubico-piv-tool --action=read-certificate --slot=9a --key-format=SSH6. Export Attestation Certificate
yubico-piv-tool --action=attest --slot=9a7. Export Signing Certificate
yubico-piv-tool --action=read-certificate --slot=f9
Please send output of Step 5 , 6 and 7 to gateway admins.
To Authenticate
On Unix based systems -
Authenticate to the target system using the new key:
ssh -I XXX/libykcs11.so user@remote.example.comThis can also be set up to work with ssh-agent:
ssh-add -s XXX/libykcs11.so
On Windows systems use Putty-cac binaries, see below link.
https://github.com/NoMoreFood/putty-cac/tree/master/binaries
Putty -> Connection -> SSH -> Certificate -> Set Capi Cert
Useful links
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction…
https://developers.yubico.com/PIV/Introduction/Admin_access.html