Yubikey
Yubico OTP
PIV
# yubikey manager pacman -S yubikey-manager # smart card daemon systemctl start pcscd.service systemctl enable pcscd.service # enable U2F/smartcard/CCID feature ykpersonalize -m86 # yubikey 4 or below ykman config usb --enable-all # yubikey 5 or up # generate key yubico-piv-tool -s9a -ARSA2048 -agenerate -o pubkey.pem # import key yubico-piv-tool -s9a -a import-key -i key.pem # self sign yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o cert.pem # cert request yubico-piv-tool -a verify-pin -a arequest -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o req.pem # import cert yubico-piv-tool -a import-certificate -s 9a -i cert.pem # check status yubico-piv-tool -a status # export the public key in correct format for ssh pacman -S opensc ssh-keygen -D opensc-pkcs11.so -e # use the key ssh -I opensc-pkcs11.so user@remotehost ssh-add -s opensc-pkcs11.so # add following to ~/.ssh/config host {HOSTNAME-ALIAS} hostname {HOSTNAME} port 22 user USERNAME IdentitiesOnly yes PKCS11Provider opensc-pkcs11.so
Delete key slot
yubico-piv-tool -adelete-certificate -s9a -k
Chanage PIN & PUK & management key
yubico-piv-tool -achange-pin yubico-piv-tool -achange-puk key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -aset-mgm-key -n$key
The default PIN code is 123456. The default PUK code is 12345678. The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.
GPG key
# generate key gpg --full-gen-key # edit key gpg --expert --edit-key {KEYID} # add a pure authentication key addkey 8 A S E Q 4096 0 y y quit y # Backup gpg --armor --output privkey.sec --export-secret-key {KEYID} gpg --armor --output subkeys.sec --export-secret-subkeys {KEYID} gpg --armor --output pubkey.sec --export {KEYID} # Import key to card gpg --expert --edit-key {KEYID} toggle keytocard y 1 key 1 keytocard 2 key 1 key 2 keytocard 3 quit y # Import key from card (Public key) gpg --card-edit fetch quit # List keys gpg --card-status # Export public key gpg --export --armor {KEYID}
Unblock GPG PIN
gpg --card-status PIN retry counter : 0 0 3 gpg --card-edit gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. … detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 2 PIN unblocked and new PIN set. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q
Reset Yubikey
# Attempt to use an invalid PIN multiple times to block it # yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 yubico-piv-tool -a verify-pin -P 000000 # Attempt to change PUK using an invalid PUK multiple times to block it # yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 yubico-piv-tool -a change-puk -P 000000 -N 000001 Once PIN and PUK are both blocked, you can reset the YubiKey. yubico-piv-tool -a reset
Key slot
- Slot 9a: PIV Authentication (system login)
- Slot 9c: Digital Signature (signing files and executables)
- Slot 9d: Key Management (encrypting e-mails or files)
- Slot 9e: Card Authentication (physical access applications)
- Slot 82-95: Retired Key Management (previously used Key Management keys, only available on the YubiKey 4)
- Slot f9: Attestation
Ref