Skip to content

yubikey

DB1D2A62-5707-4AD1-8ADA-BCA642E4110D

Install (fedora)

$ sudo dnf -y install         \
  yubikey-manager             \
  yubikey-personalization-gui \
  python3-yubikey-manager

#   fedora-packager-yubikey     \
#   pcsc-tools                  \
#   ykclient                    \
#   ykpers                      \
#   yubico-piv-tool             \
#   yubico-piv-tool             \

Yubikey Manager

List keys: 

$ sudo ykman list
YubiKey 5C Nano (5.4.3) [OTP+FIDO+CCID] Serial: 16381159
YubiKey 5 NFC (5.2.4) [OTP+FIDO+CCID] Serial: 12001438

FIDO2 PINs

ykman fido info

[m@x2 ~]$ ykman fido info
PIN is set, with 8 attempt(s) remaining.
- ykman fido access change-pin - ykman fido reset

Reset PIN

$ ykman fido reset
WARNING! This will delete all FIDO credentials, including FIDO U2F credentials, and restore factory settings. Proceed? [y/N]: y
Remove and re-insert your YubiKey to perform the reset...
Touch your YubiKey...

Yubikey and SSH via PAM

  • /etc/ssh/authorized_yubikeys # we're using this file (ansible)
  • .yubico/authorized_yubikeys
yubico-piv-tool -a change-pin

PIV setup

Using SSH User Certificates with PIV keys

cp /usr/lib64/libykcs11.so /usr/local/lib/ cp /usr/lib64/libpkcs11.so /usr/local/lib/

ssh-add -D ssh-add -e /usr/local/lib/libykcs11.so

FAIL 

$ ssh-add -s /usr/local/lib/libykcs11.so
Enter passphrase for PKCS#11: 
^C

man ssh-agent -P provider_whitelist Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator shared libraries that may be used with the -S or -s options to ssh-add(1). Libraries that do not match the whitelist will be refused. See PATTERNS in ssh_config(5) for a description of pattern-list syntax. The default whitelist is “/usr/lib/,/usr/local/lib/”.

Configure System

$ sudo systemctl start pcscd
$ sudo systemctl enable pcscd

Configure Yubikey

Disable the default text when touched 

$ ykpersonalize -1 -z
Firmware version 5.2.4 Touch level 773 Program sequence 1

Configuration in slot 1 will be deleted

Commit? (y/n) [n]: y