Yubikey - on OpenBSD
Running YubiKey on OpenBSD
buy a Key and give try …
pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.
PC/SC Smart Card Daemon
rcctl enable pcscd rcclt start pcscd
you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)
uhidev1 at uhub0 port 3 configuration 1 interface 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.43 addr 2 uhidev1: iclass 3/0 fido0 at uhidev1: input=64, output=64, feature=0 ugen0 at uhub0 port 3 configuration 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.43 addr 2
ykman list YubiKey 5 [OTP+FIDO+CCID]
ssh-keygen -t ed25519-sk
ssh-keygen -t ed25519-sk Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: You may need to touch your authenticator again to authorize key generation. Enter file in which to save the key (/root/.ssh/id_ed25519_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519_sk Your public key has been saved in /root/.ssh/id_ed25519_sk.pub The key fingerprint is: SHA256:NJQT9WrQ+D3DU2xbF2vFOfBAXKMoelOHxEkP/wb23+w root@myhost The key's randomart image is: +[ED25519-SK 256]-+ | o+++++o=o| | .oo.+*o+o*| | =o.+.B+++| | ..+o+oo=o.| | .So+ * .+ | | ... +..o| | +| | . | | E| +----[SHA256]-----+
Login with ssh-key & yubikey
root@myhost# ssh -i id_ed25519_sk user@remotehost Enter passphrase for key 'id_ed25519_sk': Confirm user presence for key ED25519-SK SHA256:NJQT9WrQ+D3DU2xbF2vFOfBAXKMoelOHxEkP/wb23+w User presence confirmed <<<< ***** here you need to press the button on your yubikey ***** root@yourhost#
get some Information about your Key
ykinfo -a serial: 18xxxxxx serial_hex: 01xxxxxx serial_modhex: cbxxxxxx version: 5.4.3 touch_level: 1285 programming_sequence: 1 slot1_status: 1 slot2_status: 0 vendor_id: 1050 product_id: 407
You have now a private/public Keypair which physically remains on your Harddisk, same as without YubiKey. But his Key does not work without the Yubikey inserted.
As you may can imagine, you should NOT loose the Yubikey, as there is no possibility to Backup/Restore a lost Device. Better, you use a Backup Yubikey, give them the same Persmission, and store the 2nd Key on a Secure Place.
Happy SSH !
Any Comments ?