Properly Clearing the PIV Private Key. Since 'Delete certificate' didn't delete the private key from the YubiKey, re-loading the public key (which can be exported by YubiKey) resulted in a functional PIV interface. I was able to demonstrate two other methods that actually do clear the private key: Method 1: Load a Different Cert. Dec 05, 2017 You can use a Yubikey USB device to securely generate and store your SSH key. This can be used to load your private key on demand, protected by a PIN. Perfect for pair-programming on shared machines! This post is part of a series on using Yubikeys to secure development whilst pair-programming on shared machines. Jun 02, 2019 The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the.
Most security and IT professionals know that passwords are always at risk of being compromised or cracked. Those that seek to solve this problem generally turn to one of three mainstream solutions: One-time password systems such as an RSA SecurID token or the Google Authenticator app, out-of-band authentication via SMS, or the more recently developed Universal 2nd Factor (U2F) protocol. These solutions provide a mechanism to generate or receive a token or credential that an adversary would be unable to intercept or crack. These are all reasonable solutions, depending on the system and the audience that it needs to serve.
Another alternative which has probably been around the longest is the focus of our topic today: Certificate-based authentication. Asymmetric cryptography is the star of the show here, where a private/public key pair are used to validate your identity. Today we'll talk about how to configure certificates for Windows Active Directory Authentication using a YubiKey.
What's a YubiKey?
First things first - a YubiKey is a strong authentication hardware device made by Yubico. The nice thing about them is they support USB interfaces on just about any kind of device, and they also provide a number of strong authentication protocols including FIDO U2F, Smart Card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response (HMAC-SHA1). All this in a device that costs around $50 - very affordable compared to other alternatives! To find out which YubiKey will meet your needs, check out their Product Finder. Active Directory authentication uses a YubiKey's Smart Card (PIV) functionality. For this you will need a YubiKey NEO or YubiKey 4. The less expensive YubiKey Nano does not have smart card functionality (but is great for protecting your Google account!)
Using Smart Cards and Certificates for Authentication in AD
Microsoft support for certificate-based authentication via smart cards in Active Directory is very mature, going back at least to Windows 2003. A smart card is a hardware device that can generate certificates and perform signing and encryption functions. This certificate is composed of a key pair, one private and one public. The private key is stored only on the smart card, and the public key is shared with any system which needs to interact with it such as a domain controller or the recipient of a digitally signed email.
To make all this work for AD authentication, the general principle is that you set up a Certificate Authority (CA) on a Windows server running the Certificate Services role. The CA's job is to create root or intermediate certificates that are trusted by the domain, and to digitally sign other certificates used within the domain. In this case, the CA will sign the certificate that is generated by the YubiKey's smart card function. During the certificate generation and signing process, it will also publish the new public key into the directory. This public key will be associated with the user who set it up and will be used to authenticate the user. Only the private key contained on the YubiKey will match this public key and can be used to authenticate that user.
When using a certificate stored on a smart card, the private key component is protected by a PIN. The user must enter the PIN in order to perform smart card functions such as login or screen unlocks. This PIN protects the smart card from being stolen and also serves to prevent unauthorized software (i.e. malware) from interacting with the smart card directly.
Setting Up Certificate Services
Yubico has a very detailed guide for configuring the Certificate Services to sign Smart Card certificates for authentication. This process involves installing the Certificate Services, setting up a new Certificate Template for Smart Card authentication, and enabling self-enrollment or proxy enrollment capability.
Enrolling YubiKeys
Once you have set up your Certificate Authority with the new Smart Card template for your YubiKeys, you will need to enroll your YubiKey for smart card authentication. This involves using a utility called the YubiKey PIV Manager. For the sake of brevity, here's the link to the guide. One note: When prompted for the name of your certificate template, use the short/concatenated name in case your name contains spaces (i.e. YubiKeyLogon instead of 'YubiKey Logon').
Logging In Using the Smart Card
If all went well during the enrollment process, the PIV manager shows a certificate under the 'Authentication' tab and the certificate has been published to Active Directory. When you insert the YubiKey to your Windows system, Smart Card will be displayed as a login option. Choosing this option will prompt you to enter your smart card PIN. Once you enter your PIN, you will be logged in!
OK, Great - Why Should I Use This?
The truth of the matter is that passwords are awful - no one likes remembering them and changing them, and they are subject to being reused or cracked. Smart card-based certificate authentication isn't prone to these issues and lasts forever (or until the certificate expires!) Of course, deploying smart cards across an entire organization takes careful planning for your use case. My advice is to start with a very targeted deployment for your Enterprise Administrators, Domain Adminstrators, and key members of your IT and Security team. By doing this and disallowing password-based authentication for those users, you will go a long way to frustrating the adversaries trying to compromise your domain!
Yubikey, Smart Cards, OpenSC and GnuPG are pain in the ass to get working. Those snippets here sould help alleviate pain.
![Public Public](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Public-Key-Infrastructure.svg/1200px-Public-Key-Infrastructure.svg.png)
To reset and disable not used modes on Yubikey you need the
ykman
programYou can install it using those commands
GnuPG usage only needs CCID mode to be enabled. FIDO mode can also be enabled for WebAuthn
Yubikey OpenPGP applet that is used by GnuPG can be configured with
Make sure that gnupg, pcscd and scdaemon are installed
GnuPG Smart Card stack looks something like this
Now we have to tell scdaemon to use pcsc interface instead of the default direct connect mode.
Under Ubuntu libpcsclite.so is in package called libpcsclite1.
dpkg -L libpcsclite1
command can show the location of the lib.GnuPG Trust Model
Turn on ssh like trust on first use (tofu)
After changing gpg configuration files, it's a good idea to restart gpg-agent.
If everything went well then running following command should show something like this
Debuging
Test if Yubikey is detected
pcsc-tools
package contains pcsc_scan
program that can be used to check that Yubikey is detected.and then run
Now you should see Card inserted and removed events on your terminal when connectingand removing Yubikey.
Restart everything
Smart Card middleware
gpg-agent
Check the logs
Run journalctl in another terminal window and look for scdaemon log lines
If you see sharing violation messages then something else is probably trying to use the yubikey via opensc.Check getting-estonian-id-card-and-gnupg-scdaemon-yubikey-work-together
Switch from OpenSSH ssh-agent to GnuPG as ssh-agent
Temporarily
First get you need to get GnuPG agent-ssh-socket path
That should return something like this
And then you can set that path as SSH_AUTH_SOCK environment variable
After that
ssh-add -l
shoud show your Yubikey.Permanent
Getting Estonian ID card and GnuPG scdaemon Yubikey work together.
Estonian ID card uses opensc project to access private keys on the smart card.Opensc also supports Yubikey and that will create conflicts with GnuPG scdaemon.
To fix it you can just disable Yubikey in opensc.
To make coperation between opensc and scdaemon even better then you have to patch scdaemon touse shared access mode, Arch Linux wiki has a short paragraph about that here https://wiki.archlinux.org/index.php/GnuPG#Shared_access_with_pcscd.
gpg -k
or gpg --list-keys
- List stored public keysgpg -K
or gpg --list-private-keys
- List all stored private keys, #
means private key is unavailable, >
means private key is on a smartcard- Generate 2048bit RSA master key with Certify(Master) and Sign permissions, expire key after 2 years
- Add a 2048bit RSA encryption subkey that expires after 2 years
where
master_key_fingerprint
is a 40 char hex string shown when running gpg -K
man page says that you can use
-e
option to convert private and public keys to other formats, that seems to be wrong. Insteadyou can use -p
option to request changing the password but not actually setting the password.Generate Trusted Private And Public Key For Yubikey Free
Monkeysphere project includes a
pem2openpgp
command that can be used to import ssh private keys to gnupg keyring.The imported key is stored without encryption, add it with those commands:
and then use passwd command and type the same password as your master key
![Generate Trusted Private And Public Key For Yubikey Generate Trusted Private And Public Key For Yubikey](https://www.nitrokey.com/sites/default/files/images/products/NITRO_0014_b.jpg)
After importing you can use normal
gpg --edit-key
command to change parameters on this key. GnuPG 2.1 also allows you to move the imported key to be one of your subkeys for authentication. https://security.stackexchange.com/a/160847Move the key
- Get the imported key keygrip value
gpg --with-keygrip -k
gpg --expert --edit-key <master_key_id>
wheremaster_key_id
is a 40 char hex string shown when runninggpg -K
- type
addkey
- select
(13) Existing key
- Copy and Paste imported ssh key keygrip
- Toggle off all capabilities and enable authenticate capability and finish
- Set key valid time to 2 years with
2y
- Confirm key creation and type your master key password
- Type
save
to save and exit from edit menu
Delete old public ssh key
This key is no longer needed
where
ssh_key_id
is a 40 char hex string shown when running gpg -K
Before moving private keys to yubikey you must make a backup of private keys so that when you lose or break your yubikeyyou could move the same keys to a new yubikey.
Exported keys are encrypted with your master password.
Public Key Definition
Its also a good idea to print your private keys on a paper because files can bitrot and become unusable after some time.
and then use
keytocard
command to move the primary key to card.Then select first sub key with key 1
and then move that to card with keytocard
.Then unselect first key with command key
and then select second subkey with key 2
and then do keytocard
. After that save
and you are done.scdaemon with shared access for ubuntu 18.04https://d.arti.ee/scdaemon_2.2.4-1ubuntu1.2_amd64.deb
Generate Trusted Private And Public Key For Yubikey Iphone
What do ssb and other mean in gpg --list-keys output
Generate Trusted Private And Public Key For Yubikey Mac
#
after sec/ssb means that secret key is unavailable, maybe it was exported and then deletedPublic Key Example
>
after sec/ssb means that secret key is on a smartcard/yubikey