Yubikey
Yubico OTP
PIV
# yubikey manager
pacman -S yubikey-manager
# smart card daemon
systemctl start pcscd.service
systemctl enable pcscd.service
# enable U2F/smartcard/CCID feature
ykpersonalize -m86 # yubikey 4 or below
ykman config usb --enable-all # yubikey 5 or up
# generate key
yubico-piv-tool -s9a -ARSA2048 -agenerate -o pubkey.pem
# import key
yubico-piv-tool -s9a -a import-key -i key.pem
# self sign
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o cert.pem
# cert request
yubico-piv-tool -a verify-pin -a arequest -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o req.pem
# import cert
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
# check status
yubico-piv-tool -a status
# export the public key in correct format for ssh
pacman -S opensc
ssh-keygen -D opensc-pkcs11.so -e
# use the key
ssh -I opensc-pkcs11.so user@remotehost
ssh-add -s opensc-pkcs11.so
# add following to ~/.ssh/config
host {HOSTNAME-ALIAS}
hostname {HOSTNAME}
port 22
user USERNAME
IdentitiesOnly yes
PKCS11Provider opensc-pkcs11.so
Delete key slot
yubico-piv-tool -adelete-certificate -s9a -k
Chanage PIN & PUK & management key
yubico-piv-tool -achange-pin yubico-piv-tool -achange-puk key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -aset-mgm-key -n$key
The default PIN code is 123456. The default PUK code is 12345678. The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.
GPG key
# generate key
gpg --full-gen-key
# edit key
gpg --expert --edit-key {KEYID}
# add a pure authentication key
addkey
8
A
S
E
Q
4096
0
y
y
quit
y
# Backup
gpg --armor --output privkey.sec --export-secret-key {KEYID}
gpg --armor --output subkeys.sec --export-secret-subkeys {KEYID}
gpg --armor --output pubkey.sec --export {KEYID}
# Import key to card
gpg --expert --edit-key {KEYID}
toggle
keytocard
y
1
key 1
keytocard
2
key 1
key 2
keytocard
3
quit
y
# Import key from card (Public key)
gpg --card-edit
fetch
quit
# List keys
gpg --card-status
# Export public key
gpg --export --armor {KEYID}
Unblock GPG PIN
gpg --card-status PIN retry counter : 0 0 3 gpg --card-edit gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. … detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 2 PIN unblocked and new PIN set. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q
Reset Yubikey
# Attempt to use an invalid PIN multiple times to block it # yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 # Attempt to change PUK using an invalid PUK multiple times to block it # yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 Once PIN and PUK are both blocked, you can reset the YubiKey. yubico-piv-tool -a reset
Key slot
- Slot 9a: PIV Authentication (system login)
- Slot 9c: Digital Signature (signing files and executables)
- Slot 9d: Key Management (encrypting e-mails or files)
- Slot 9e: Card Authentication (physical access applications)
- Slot 82-95: Retired Key Management (previously used Key Management keys, only available on the YubiKey 4)
- Slot f9: Attestation
Ref
