Yubikey

https://demo.yubico.com

# smart card daemon
systemctl start pcscd.service
systemctl enable pcscd.service

# enable U2F/smartcard/CCID feature
ykpersonalize -m86

# generate key
yubico-piv-tool -s9a -ARSA2048 -agenerate -o pubkey.pem

# import key
yubico-piv-tool -s9a -a import-key -i key.pem

# self sign
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o cert.pem

# cert request
yubico-piv-tool -a verify-pin -a arequest -s 9a -S'/CN=foo/OU=test/O=example.com/' -i pubkey.pem -o req.pem

# import cert
yubico-piv-tool -a import-certificate -s 9a -i cert.pem

# check status
yubico-piv-tool -a status

# export the public key in correct format for ssh
pacman -S opensc
ssh-keygen -D opensc-pkcs11.so -e

# use the key
ssh -I opensc-pkcs11.so user@remotehost
ssh-add -s opensc-pkcs11.so

# add following to ~/.ssh/config
host {HOSTNAME-ALIAS}
  hostname {HOSTNAME}
  port 22
  user USERNAME
  IdentitiesOnly yes
  PKCS11Provider opensc-pkcs11.so

yubico-piv-tool -adelete-certificate -s9a -k

yubico-piv-tool -achange-pin
yubico-piv-tool -achange-puk

key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key
yubico-piv-tool -aset-mgm-key -n$key

The default PIN code is 123456. The default PUK code is 12345678.
The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.

# generate key
gpg --full-gen-key

# edit key
gpg --expert --edit-key {KEYID}

# add a pure authentication key
add key
A
S
E
4096
0
y
y
quit
y

# Backup
gpg --export-secret-key --armor {KEYID}

# Import key
gpg --expert --edit-key {KEYID}
toggle
keytocard
y
1
key 1
keytocard
2
key 1
key 2
keytocard
3
quit
y

# List keys
gpg --card-status

# Attempt to use an invalid PIN multiple times to block it #
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
yubico-piv-tool -a verify-pin -P 000000
# Attempt to change PUK using an invalid PUK multiple times to block it #
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
yubico-piv-tool -a change-puk -P 000000 -N 000001
Once PIN and PUK are both blocked, you can reset the YubiKey.

yubico-piv-tool -a reset

Key slot

• Slot 9a: PIV Authentication (system login)
• Slot 9c: Digital Signature (signing files and executables)
• Slot 9d: Key Management (encrypting e-mails or files)
• Slot 9e: Card Authentication (physical access applications)
• Slot 82-95: Retired Key Management (previously used Key Management keys, only available on the YubiKey 4)
• Slot f9: Attestation

Ref

• https://developers.yubico.com/PIV/Guides/Device_setup.html
• https://forum.yubico.com/viewtopic.php?f=26&t=1344
• https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
• https://ruimarinho.gitbooks.io/yubikey-handbook
• https://github.com/drduh/YubiKey-Guide
• https://www.chipestimate.com/techtalk/images/fig1_081202.gif
• https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
• https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
• https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html
• https://github.com/Yubico/yubico-piv-tool
• https://wikitech.wikimedia.org/wiki/Yubikey-SSH
• https://developers.yubico.com/PGP/Importing_keys.html