Open in app

Sign in

Write

Sign in

YubiKey SSH authentication

Dmitrii Pushkarev
4 min readJan 23, 2024

--

Hi everyone! Today I’ll show how can we authenticate to a server over SSH using a YubiKey, without changing the server’s existing SSH key-based authentication setup.

Let’s generate a self-signed certificate for our Yubikey. It can be issued by another certificate authority as well.

# self-signed certificate generation
yubico-piv-tool -a generate -s 9a -A RSA2048 -o pub.key --touch-policy=cached --pin-policy=always -k
yubico-piv-tool -a verify-pin -a selfsign -s 9a -S '/CN=test/OU=test/O=example.com/'
yubico-piv-tool -a import-certificate -s 9a -k

# check status
yubico-piv-tool -a status

# output
Version: 4.3.7
Serial Number: 6545265
CHUID: 3019d4e739da7842108421c84210c3eb3410f2e58f502e51c1193169531ea57ce62f350832303330303130313e00fe00
CCC: No data available
Slot 9a: 
 Algorithm: RSA2048
 Subject DN: CN=test, OU=test, O=example.com
 Issuer DN: CN=test, OU=test, O=example.com
 Fingerprint: 2a1012039df912e9bee6f0ab9544b62cdc8db6f6b59f19c1517e51ccdac341ef
 Not Before: Jan 23 11:47:52 2024 GMT
 Not After: Jan 22 11:47:52 2025 GMT
PIN tries left: 3

We can generate or import certificate in YubiKey Manager as well.

We prepared the key and are ready to log in using YubiKey.

Ubuntu

We need to install a special library OpenSC. Example on Ubuntu 22.04 Desktop.

sudo apt-get update && apt-get install opensc -y

Also we will install yubico-piv-tool.

sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
apt-get install yubico-piv-tool

Now we can get our public SSH key. Add it to needed servers to .ssh/authorized_keys

yubico-piv-tool -a read-certificate -s 9a > name.crt && openssl x509 -in name.crt -noout -pubkey > publickey.pem && ssh-keygen -i -m PKCS8 -f publickey.pem
or
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e
#output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuOEUGE9LuOutNK+g3PA/t6KKIfNOGDnw1kQvjyyL0zNdYYO/0al4fV2JA22Rj5vNOuHPqisjTMxkEC2hhcjlLjbefR7z9fdaWuf4UijyhixrXOaCPg6eNZdVAvc+xi69gVZQjCGp07ZepP/nwORKmqbL4adeXniVbTOd61f4B3xnTssFiMFhlKiv1T1InsD6gPaUj3wzaffAkiyBPJF/FZBXtMa18G9G5VR8NRp9OlEiUv6zf2Pr+M9Fk3hxIj/wtdWRTRTzhEZlm8BNCAY6faQ1Kf5VSAuL60WULJO6z/IV4b9AjWefUnryRhpHYx5Od0ScMPTeiytpJWWRa49Z7

Let’s try to connect to a server.

ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so root@10.67.49.137

### The YubiKey will start blinking. Touch it. 
### input you PIN code
### You connected to the server

You also have opportunity to add configuration to ~/.ssh/config

Host test
  HostName 10.67.49.137
  User root
  Port 22
  PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Then you can type ssh test command only.

We can add YubiKey to ssh-agent as well and do not type PIN code every time. It is ok with — touch-policy=always. Just my opinion.

### add token
ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

### check 
ssh-add -L /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
### remove token
ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


### You can add an alias after. 
ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so; ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


### Now you can ssh to other servers not from ~/.ssh/config only

We can get SSH key fingerprint and monitor approved fingerprints in auth.log. We may approve ssh keys generated in YubiKey only.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuOEUGE9LuOutNK+g3PA/t6KKIfNOGDnw1kQvjyyL0zNdYYO/0al4fV2JA22Rj5vNOuHPqisjTMxkEC2hhcjlLjbefR7z9fdaWuf4UijyhixrXOaCPg6eNZdVAvc+xi69gVZQjCGp07ZepP/nwORKmqbL4adeXniVbTOd61f4B3xnTssFiMFhlKiv1T1InsD6gPaUj3wzaffAkiyBPJF/FZBXtMa18G9G5VR8NRp9OlEiUv6zf2Pr+M9Fk3hxIj/wtdWRTRTzhEZlm8BNCAY6faQ1Kf5VSAuL60WULJO6z/IV4b9AjWefUnryRhpHYx5Od0ScMPTeiytpJWWRa49Z7" | ssh-keygen -l -f -
### output
2048 SHA256:KS/+U9FyFvTMhhyXHP4bPYX/G6mo7GL1WuI2Shb+LZM no comment (RSA)

OS X

Almost the same like in Ubuntu.

Library — https://github.com/OpenSC/OpenSC/releases/ dmg packages.

yubico-piv-tool here -https://www.yubico.com/support/download/smart-card-drivers-tools/

### it can help
sudo cp /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/

Windows

I used putty-CAC. PuTTY CAC can be used with many types of cryptographic tokens such as Yubikeys and popular smart card models.

Launch PuTTY, then go to Connection -> SSH -> Certificate in the category section. Click on Set CAPI Cert and select the certificate that resides on the token. Check the box next to ‘Attempt certificate authentication.’ The Certificate Thumbprint field will display the SSH key fingerprint.

Summary

We can use one certificate issued for us in our company for many things:

  • web authentication.
  • VPN authentication.
  • email signature and encryption.
  • RDP authentication.
  • 802.1x
  • SSH authentication as well.

Other stories about YubKey.

YubiKey Attestation

I appreciate YubiKey for its exceptional security features, particularly the attestation capability which allows for…

medium.com

CURL Client Authentication using certificates from smartcard.

Hi. In this story I will explain how to make HTTP requests in CURL using smart card certificates, in my case yubikey.

medium.com

AWS IAM Roles Anywhere with PKCS11 support (YubiKey)

Hi everyone! AWS recently launched the ‘Roles Anywhere’ feature, enhancing security by allowing the use of short-term…

qwerty1q2w.medium.com

Ssh
Ssh Keys
Yubikey
Linux
Security

--

--

Dmitrii Pushkarev
Dmitrii Pushkarev

Written by Dmitrii Pushkarev

4 Followers
1 Following

https://www.linkedin.com/in/qwerty1q2w/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams