By Anonymous |

Privileged access using Yubikeys

yubico-piv-tool is needed initially to setup your yubico device. yubico-piv-tool is available with most Linux distributions. It is included in EPEL on RHEL systems. You can also download it using the below link. 

https://developers.yubico.com/yubico-piv-tool/Releases/

 

        1. Change PIN

The PIN must be between 6 and 8 characters long, and it can be any type of alphanumeric character.

The default PIN code is 123456.It is important that the default PIN code is changed. 
 

yubico-piv-tool -a change-pin

        2. Change PUK

The PUK must be between 6 and 8 characters long, and it can be any type of alphanumeric character.

The default PUK code is 12345678. It is important that the default PUK code is changed. 

yubico-piv-tool -a change-puk 

       3. Change Management Key

The default management key is 010203040506070801020304050607080102030405060708.

key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)
echo ${key}
yubico-piv-tool -aset-mgm-key -k

      4. Generate Keys

yubico-piv-tool -a generate -a verify-pin -a selfsign -a import-certificate -s 9a -k -A RSA2048 --valid-days=3650 -S "/CN=piv_auth/OU=yubikey/O=bnl.gov/" --pin-policy="once"

     5. Export SSH public key 

yubico-piv-tool --action=read-certificate --slot=9a --key-format=SSH

     6. Export Attestation Certificate

yubico-piv-tool --action=attest --slot=9a

     7. Export Signing Certificate 

yubico-piv-tool --action=read-certificate --slot=f9

 

Please send output of Step 5 , 6 and 7 to gateway admins.  

 

To Authenticate 

On Unix based systems - 

Authenticate to the target system using the new key:

ssh -I XXX/libykcs11.so user@remote.example.com

This can also be set up to work with ssh-agent:

ssh-add -s XXX/libykcs11.so

 

On Windows systems use Putty-cac binaries, see below link. 

https://github.com/NoMoreFood/putty-cac/tree/master/binaries

Putty -> Connection -> SSH -> Certificate -> Set Capi Cert

 

Useful links

https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction…

https://developers.yubico.com/PIV/Introduction/Admin_access.html