Search the Community
Showing results for tags 'yubikey'.
How to create an SSH key on a Yubikey 5 using GPG on Ubuntu 20.04. Yubikey 5c https://amzn.to/3dFvg4A Yubikey 5 nfc https://amzn.to/3gr4UoJ I am using VM Player as the test subject. Edit the .vmx file if you are using this and add these 3 lines to the end to passthrough the Yubikey. Restart vmplayer and passthrough. usb.generic.allowHID = "TRUE" usb.generic.allowLastHID = "TRUE" usb.quirks.device0 = "0x1050:0x0407 allow" Reference: https://www.engineerbetter.com/blog/yubikey-ssh/ I just installed all the yubikey stuff, you can do these 1 by 1 for what you need or just throw them all in. sudo apt install opensc-pkcs11 yubikey-personalization scdaemon libpam-u2f libpam-yubico yubikey-personalization-gui yubikey-manager Use GPG agent cat <<EOF >> ~/.bashrc export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) EOF then . ~/.bashrc To check if the Yubikey is being seen by Ubuntu type gpg --card-status If you want to change your pins, this is the command gpg --change-pin I would test the steps out before editting pins and messing around with more stuff, lets get to editing gpg --card-edit admin generate Make off-card backup of encryption key? N I chose to expire my key in 3 years so I typed 3y Is this correct? Y Fill in a name and email address. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O quit Check your ssh key ssh-add -L and it spits the SSH key out ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRELbQ3izu+ckrwPgKTdmck89xrOaSv1Kp0vY1ShWYbjyALOvEL9Okd23bjzCcS3h/0t5R5HZs3Ej0cOpupa/Ls4E6DwFs7hC6bMjSdDu/I0490ONH6LOYWE5T5GCuuPNmMRBVX7mmCAXzUIkBFvimzspAIY+w2pkQ2bk+dOC+IMG70DsDPv54+LBm7IpgWth+wZLppacVYMgpARX38ounHU8pxEOxEodf5Vzx+jCxX7swYBM0Ujw+5+Kg+8c00oWB/6MM1mIdTepqH4hRIkw0AVMhEFqnC/qOrr4aZ9e8Bd5B27sTKwPlmX0oe7Uw46G72MZ6/bLc8qgjjIeIOzUj cardno:000613493497 To move the yubikey to another VM I did the edit vmx file, passed the yubikey through to vmplayer and then sudo apt install opensc-pkcs11 yubikey-personalization scdaemon libpam-u2f libpam-yubico yubikey-personalization-gui yubikey-manager Use GPG agent cat <<EOF >> ~/.bashrc export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) EOF then . ~/.bashrc And then check the key ssh-add -L
How to setup Yubikey 5Â on Android phone and Windows Desktop guide, to replace Google Authenticator or Authy. Trying to think of ways this could be hacked, not quite sure all of the methods, but I think they all require physical possession of the yubikey itself and a password, on top of your login credentials. The idea behind this is hearing about sim swapping hacks and trying to get away from anything related to the phone carrier being hacked. Get yubikey somewhere, 2 or more of these as 1 will be a backup, probably official source so no tampering.Â I am using the Yubikey 5Â for this example.Â https://www.yubico.com/products/ All authenticator downloads located hereÂ https://www.yubico.com/products/services-software/download/yubico-authenticator/ I don't have an iPhone so I can't test if the NFC part works on Apple products. On Android install the Yubico Authenticator App, now go to your site, lets pickÂ https://www.southxchange.com/Â . Go to user settings, Two-Factor Code Authentication and enable. When the QR shows up you want to scan this with your phone. Also write down the manual code. After the QT code is scanned in the phone will ask you to tap the yubikey NFC. Tap the yubikey to the phone. If you already have your backup yubikey, Click add and tap again. Now its stored on both yubikeys using QR code scanning. Enter the 6 digits to enable 2FA on your account. Download and install Windows Yubico Authenticator from the official link above.Â Plugin one of your yubikeys to your desktop, and your codes now pop up. Put passwords on both authenticator apps for extra security. For github, major exchanges, gmail, etc most of these offer to just add the key itself instead of using the 6 digit code. But this app is really handy for things like Discord.
I am using a yubikey 5 for this and Manjaro KDE distro. Amazon has same day deliveryÂ https://amzn.to/338KYgF slightly different but basically the same as official arch install, except I took out assuming the -m and $MKÂ PIV application's 24-byte management key part as it didn't work for me when generating the self signed certificate. https://wiki.archlinux.org/index.php/YubiKey#Using_a_YubiKey_with_SSH #install yubikey manager sudo pacman -S yubikey-manager yubikey-manager-qt #plug in yubikey and verify it can be seen ykman list #generate key ykman piv generate-key -a RSA2048 9a pubkey.pem #generate self signed certificate ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem #install opensc package sudo pacman -S opensc #configure ssh to use opensc library nano ~/.ssh/config #enter single line below, save and exit PKCS11Provider /usr/lib/opensc-pkcs11.so #convert public-key to standard openssh format ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt #cat pubkey.txt to see your public key. example can copy and paste theÂ public keyÂ into scaleway credentials cat pubkey.txt #or another wayÂ to get the public key onto your server cat ~/pubkey.txt | ssh [email protected] 'cat >> .ssh/authorized_keys' now when you ssh into your server, plug in your yubikey and you will be asked for a pin at the login prompt example ssh [email protected] and you will now be prompted for the yubikey pin to access your server