How to setup yubikey pkcs11

From Linux Delta
Jump to: navigation, search

How to Setup a Yubikey for SSH on Linux Author: Kernellinux

System Requirements

1. A Machine with Ubuntu 18.04 LTS or later
2. A 5th gen Yubikey

Step 1. Install the OpenSC agent

sudo apt-get install opensc

Step 2. Add the repository for the Yubico Software

sudo apt-add-repository ppa:yubico/stable

Step 3. Install the PIV tool which we will later use to provision the Yubikey

sudo apt-get install yubico-piv-tool

Step 4. Use the PIV tool to change the pin from the default '123456' to a pin of your choice. "Pins" are not limited to numbers. You can use a secure password to increase security.

yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere

Step 5. Generate a certificate

yubico-piv-tool -s 9a -a generate --touch-policy=always -o public.pem

Step 6. Self-sign the certificate

yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem

Step 7. Import the self-signed certificate

yubico-piv-tool -a import-certificate -s 9a -i cert.pem

Step 8. Display the SSH Public key to be stored in the authorized_keys file on remote servers

ssh-keygen -D /usr/lib/x86_64-linux-gnu/

Copy the ssh key to a file called authorized_keys and place this file in the ~/.ssh directory of the server you wish to authenticate to.

Step 9. Add the following line to /etc/ssh/ssh_config

 PKCS11Provider /usr/lib/x86_64-linux-gnu/