Yubikey

https://demo.yubico.com

# smart card daemon
systemctl start pcscd.service
systemctl enable pcscd.service

# enable U2F/smartcard/CCID feature
ykpersonalize -m86

# generate key
yubico-piv-tool -s9a -ARSA2048 -agenerate -o pubkey.pem

# import key
yubico-piv-tool -s9a -a import-key -i key.pem

# self sign
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o cert.pem

# cert request
yubico-piv-tool -a verify-pin -a arequest -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o req.pem

# import cert
yubico-piv-tool -a import-certificate -s 9a -i cert.pem

# check status
yubico-piv-tool -a status

# export the public key in correct format for ssh
pacman -S opensc
ssh-keygen -D opensc-pkcs11.so -e

# use the key
ssh -I opensc-pkcs11.so user@remotehost
ssh-add -s opensc-pkcs11.so

# add following to ~/.ssh/config
host {HOSTNAME-ALIAS}
  hostname {HOSTNAME}
  port 22
  user USERNAME
  IdentitiesOnly yes
  PKCS11Provider opensc-pkcs11.so

gpg --card-edit
admin
passwd
# go ahead to change PIN and Admin PIN

Key slot

• Slot 9a: PIV Authentication (system login)
• Slot 9c: Digital Signature (signing files and executables)
• Slot 9d: Key Management (encrypting e-mails or files)
• Slot 9e: Card Authentication (physical access applications)
• Slot 82-95: Retired Key Management (previously used Key Management keys, only available on the YubiKey 4)
• Slot f9: Attestation

Ref

• https://ruimarinho.gitbooks.io/yubikey-handbook
• https://github.com/drduh/YubiKey-Guide
• https://www.chipestimate.com/techtalk/images/fig1_081202.gif
• https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
• https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
• https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html
• https://github.com/Yubico/yubico-piv-tool
• https://wikitech.wikimedia.org/wiki/Yubikey-SSH