GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jamesog → Yubikey Ssh

jamesog / Yubikey Ssh

How to use a Yubikey with OpenSSH without GPG

Labels

sshyubikey

Projects that are alternatives of or similar to Yubikey Ssh

Yubikey Agent
yubikey-agent is a seamless ssh-agent for YubiKeys.
Stars: ✭ 1,744 (+1514.81%)
Mutual labels:  ssh, yubikey
rustica
An SSHCA that uses a standard Yubikey to issue new host and user certificates.
Stars: ✭ 24 (-77.78%)
Mutual labels:  ssh, yubikey
Yubikey Touch Detector
A tool to detect when your YubiKey is waiting for a touch (to send notification or display a visual indicator on the screen)
Stars: ✭ 167 (+54.63%)
Mutual labels:  ssh, yubikey
Yubikey
YubiKey at Datadog
Stars: ✭ 393 (+263.89%)
Mutual labels:  ssh, yubikey
piv-agent
An SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).
Stars: ✭ 31 (-71.3%)
Mutual labels:  ssh, yubikey
Yubikey Guide
Guide to using YubiKey for GPG and SSH
Stars: ✭ 6,709 (+6112.04%)
Mutual labels:  ssh, yubikey
Loco
Share localhost through SSH. Local/Remote port forwarding made safe and easy.
Stars: ✭ 98 (-9.26%)
Mutual labels:  ssh
Ssh keyscanner
ssh public host key scanner using shodan
Stars: ✭ 102 (-5.56%)
Mutual labels:  ssh
Iap Desktop
IAP Desktop is a Windows application that provides zero-trust Remote Desktop and SSH access to Linux and Windows VMs on Google Cloud.
Stars: ✭ 96 (-11.11%)
Mutual labels:  ssh
Ssh Mitm
SSH man-in-the-middle tool
Stars: ✭ 1,328 (+1129.63%)
Mutual labels:  ssh
Mockssh
Mock an SSH server and define all commands it supports (Python, Twisted)
Stars: ✭ 107 (-0.93%)
Mutual labels:  ssh
Github Authorized Keys
Use GitHub teams to manage system user accounts and authorized_keys
Stars: ✭ 106 (-1.85%)
Mutual labels:  ssh
Groovy Ssh
SSH automation tool based on Groovy DSL
Stars: ✭ 100 (-7.41%)
Mutual labels:  ssh
Guacamole
Guacamole是无客户端的远程桌面网关。它支持VNC,RDP和SSH等标准协议。 我们称之为无客户端,因为不需要插件或客户端软件。 感谢HTML5,一旦Guacamole安装在服务器上,您访问桌面所需的全部功能就是一个Web浏览器。
Stars: ✭ 99 (-8.33%)
Mutual labels:  ssh
Libapps Mirror
Mirror of the official libapps repo from https://chromium.googlesource.com/apps/libapps/
Stars: ✭ 103 (-4.63%)
Mutual labels:  ssh
Sidedoor
SSH connection daemon for Debian/Raspbian/Ubuntu/etc
Stars: ✭ 97 (-10.19%)
Mutual labels:  ssh
Clustermq
R package to send function calls as jobs on LSF, SGE, Slurm, PBS/Torque, or each via SSH
Stars: ✭ 106 (-1.85%)
Mutual labels:  ssh
Docker Tunnel
a (simple) dockerized ssh tunnel
Stars: ✭ 96 (-11.11%)
Mutual labels:  ssh
Mercury
Simple Android app that sends pre-configured commands to remote servers via SSH.
Stars: ✭ 100 (-7.41%)
Mutual labels:  ssh
Btrfs Sxbackup
Incremental btrfs snapshot backups with push/pull support via SSH
Stars: ✭ 105 (-2.78%)
Mutual labels:  ssh
View All Similar Projects ➔

Yubikey as an SSH key

As of 2020-05-09 Filippo Valsorda has released yubikey-agent. I am now recommending this method over using PKCS#11, however if you still wish to use the native ssh-agent, read on.

All other guides I've seen (https://github.com/drduh/YubiKey-Guide being the most prolific) tell you to use the Yubikey's smartcard (PKCS#11) features with GnuPG via gpg-agent.

STOP THE MADNESS!

OpenSSH has supported OpenSC since version 5.4. This means that all you need to do is install the OpenSC library and tell SSH to use that library as your identity.

Prequisites

1. Install OpenSC and YubiKey Manager (CLI only)

On macOS

Ensure you install the cask version of OpenSC, not the formula. The cask version is a .pkg which will install the shared library to a location acceptable by ssh-agent. The formula does not, as Homebrew installs each version into its own location and it won't allow an unknown path to be used as a PKCS#11 library.

brew install --cask opensc
brew install ykman

On Ubuntu/Debian

sudo apt-add-repository ppa:yubico/stable
sudo apt update
sudo apt install opensc yubikey-manager

2. If this is a new Yubikey, change the default PIV management key, PIN and PUK.

The ykman tool can generate a new management key for you. For the PIN and PUK you'll need to provide your own values (6-8 digits).

ykman piv change-management-key --touch --generate
ykman piv change-pin -P 123456
ykman piv change-puk -p 12345678

Make sure you save the generated password somewhere secure such as a password manager. The management key is needed any time you generate a keypair, import a certificate or change the number of PIN or PUK retries

The PUK should also be kept somewhere safe. This is used if the PIN is entered incorrectly too many times.

How?

I did this all on macOS 10.14. Linux distributions should work in a similar way. This is based on Yubico's instructions but uses the newer ykman utility instead of the older yubico-piv-tool. The older tool doesn't seem to support generating PIV certificates and gives misleading errors.

  1. Ensure CCID mode is enabled on the Yubikey
ykman mode

If CCID is not in the list, enable it by adding CCID to the list, e.g.

ykman mode OTP+FIDO+CCID

(This assumes you had OTP+FIDO previously, and still want them enabled.)

  1. Generate a PIV key and output the public key
ykman piv generate-key 9a pubkey.pem

Alternatively, you can require that you have to touch the Yubikey every time the slot is accessed:

ykman piv generate-key --touch-policy always 9a pubkey.pem

This is an RSA 2048-bit key by default. Depending which Yubikey you have, you can change it using -a / --algorithm.

(9a is the PIV authentication slot.)

  1. Generate a self-signed X.509 certificate
ykman piv generate-certificate -s "SSH key" 9a pubkey.pem
  1. Export your SSH public key from the Yubikey
ssh-keygen -D /usr/local/lib/opensc-pkcs11.so

And that's all the hard stuff done.

Now just add the public key to your authorized_keys file on a remote host and try to use it:

ssh -I /usr/local/lib/opensc-pkcs11.so -i /usr/local/lib/opensc-pkcs11.so -o IdentitiesOnly=yes server.example.com

You should be prompted for your Yubikey's PIV PIN.

You can add the PKCS11 library to ssh-agent.

ssh-add -s /usr/local/lib/opensc-pkcs11.so

Once more you will be prompted for your PIN, and from there SSH authentication will happen as usual.

To configure ssh to use the Yubikey's SSH key, use the PKCS11Provider config option instead of IdentityFile, e.g.:

Host foo
  PKCS11Provider /usr/local/lib/opensc-pkcs11.so
  IdentitiesOnly yes

Additional notes

  • When SSHing, you may get prompted with the key's subject name, like Enter PIN for 'SSH key':. But if you add the key to the agent, you'll get a prompt like Enter passphrase for PKCS#11:. These are the same PIN (your PIV PIN).

  • If you remove the key from ssh-agent using ssh-add -d or ssh-add -D, you'll have to either remove and re-add the PKCS library to the agent or restart the agent.

    • To re-add the library run 
      ssh-add -e /usr/local/lib/opensc-pkcs11.so
ssh-add -s /usr/local/lib/opensc-pkcs11.so
    • On macOS, you can restart the agent with 
      launchctl stop com.openssh.ssh-agent
launchctl start com.openssh.ssh-agent
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].