====== Yubikey ======
===== Yubico OTP =====
https://demo.yubico.com
===== PIV =====
# yubikey manager
pacman -S yubikey-manager
# smart card daemon
systemctl start pcscd.service
systemctl enable pcscd.service
# enable U2F/smartcard/CCID feature
ykpersonalize -m86 # yubikey 4 or below
ykman config usb --enable-all # yubikey 5 or up
# generate key
yubico-piv-tool -s9a -ARSA2048 -agenerate -o pubkey.pem
# import key
yubico-piv-tool -s9a -a import-key -i key.pem
# self sign
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o cert.pem
# cert request
yubico-piv-tool -a verify-pin -a arequest -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o req.pem
# import cert
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
# check status
yubico-piv-tool -a status
# export the public key in correct format for ssh
pacman -S opensc
ssh-keygen -D opensc-pkcs11.so -e
# use the key
ssh -I opensc-pkcs11.so user@remotehost
ssh-add -s opensc-pkcs11.so
# add following to ~/.ssh/config
host {HOSTNAME-ALIAS}
hostname {HOSTNAME}
port 22
user USERNAME
IdentitiesOnly yes
PKCS11Provider opensc-pkcs11.so
===== Delete key slot =====
yubico-piv-tool -adelete-certificate -s9a -k
===== Chanage PIN & PUK & management key =====
yubico-piv-tool -achange-pin
yubico-piv-tool -achange-puk
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key
yubico-piv-tool -aset-mgm-key -n$key
The default PIN code is 123456. The default PUK code is 12345678.
The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.
===== GPG key =====
# generate key
gpg --full-gen-key
# edit key
gpg --expert --edit-key {KEYID}
# add a pure authentication key
addkey
8
A
S
E
Q
4096
0
y
y
quit
y
# Backup
gpg --armor --output privkey.sec --export-secret-key {KEYID}
gpg --armor --output subkeys.sec --export-secret-subkeys {KEYID}
gpg --armor --output pubkey.sec --export {KEYID}
# Import key to card
gpg --expert --edit-key {KEYID}
toggle
keytocard
y
1
key 1
keytocard
2
key 1
key 2
keytocard
3
quit
y
# Import key from card (Public key)
gpg --card-edit
fetch
quit
# List keys
gpg --card-status
# Export public key
gpg --export --armor {KEYID}
===== Unblock GPG PIN =====
gpg --card-status
PIN retry counter : 0 0 3
gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. … detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 2
PIN unblocked and new PIN set.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
===== Reset Yubikey =====
# Attempt to use an invalid PIN multiple times to block it #
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
# Attempt to change PUK using an invalid PUK multiple times to block it #
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
Once PIN and PUK are both blocked, you can reset the YubiKey.
yubico-piv-tool -a reset
**Key slot**
* Slot 9a: PIV Authentication (system login)
* Slot 9c: Digital Signature (signing files and executables)
* Slot 9d: Key Management (encrypting e-mails or files)
* Slot 9e: Card Authentication (physical access applications)
* Slot 82-95: Retired Key Management (previously used Key Management keys, only available on the YubiKey 4)
* Slot f9: Attestation
**Ref**
* https://developers.yubico.com/PIV/Guides/Device_setup.html
* https://forum.yubico.com/viewtopic.php?f=26&t=1344
* https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
* https://ruimarinho.gitbooks.io/yubikey-handbook
* https://github.com/drduh/YubiKey-Guide
* https://www.chipestimate.com/techtalk/images/fig1_081202.gif
* https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
* https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
* https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html
* https://github.com/Yubico/yubico-piv-tool
* https://wikitech.wikimedia.org/wiki/Yubikey-SSH
* https://developers.yubico.com/PGP/Importing_keys.html
* https://gist.github.com/ageis/5b095b50b9ae6b0aa9bf
* https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4
* https://github.com/ruimarinho/yubikey-handbook/blob/master/openpgp/troubleshooting/gpg-failed-to-sign-the-data.md
* https://www.mjollnir.cc/archives/216.html