User Tools

Site Tools

Trace:
wiki:yubikey

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:yubikey [2023/06/08 09:59] michelwiki:yubikey [2024/03/01 13:56] (current) michel
Line 4: Line 4:
 ===hira==== ===hira====
 <code> <code>
-~/.ssh +.ssh 
-├── authorized_keys +|-- authorized_keys 
-├── config +|-- conf.d 
-├── hollandpark +|   |-- hetzner.conf 
-│   ├── id_ed25519 +|   |-- hollandpark.conf 
-│   └── id_ed25519.pub +|   |-- nsas.conf 
-├── id_ed25519_sk -> michel/id_ed25519_sk_rk_YKc-Michel +|   |-- other.conf 
-├── id_ed25519_sk.pub -> michel/id_ed25519_sk_rk_YKc-Michel.pub +|   `-- swissbit.conf 
-├── josephs +|-- config 
-├── known_hosts +|-- id_ecdsa_sk -> keys/old/id_ecdsa_sk 
-├── known_hosts.old +|-- id_ecdsa_sk-NSAS -> keys/old/id_ecdsa_sk-NSAS 
-├── michel +|-- id_ecdsa_sk-NSAS.pub -> keys/old/id_ecdsa_sk-NSAS.pub 
-│   ├── id_ecdsa_sk-ndc_YKa-Michel +|-- id_ecdsa_sk-swissbit -> keys/old/id_ecdsa_sk-swissbit 
-│   ├── id_ecdsa_sk-ndc_YKa-Michel.pub +|-- id_ecdsa_sk-swissbit.pub -> keys/old/id_ecdsa_sk-swissbit.pub 
-│   ├── id_ed25519-Michel-automation +|-- id_ecdsa_sk.pub -> keys/old/id_ecdsa_sk.pub 
-│   ├── id_ed25519-Michel-automation.pub +|-- id_ed25519 -> keys/michel/id_ed25519-Michel-automation 
-│   ├── id_ed25519_sk-ndc_YKc-Michel +|-- id_ed25519.pub -> keys/michel/id_ed25519-Michel-automation.pub 
-│   ├── id_ed25519_sk-ndc_YKc-Michel.pub +|-- id_ed25519_nsas -> keys/old/id_ed25519_nsas 
-│   ├── id_ed25519_sk-rk_YKc-Michel-automation +|-- id_ed25519_nsas.pub -> keys/old/id_ed25519_nsas.pub 
-│   ├── id_ed25519_sk-rk_YKc-Michel-automation.pub +|-- id_ed25519_sk -> keys/michel/id_ed25519_sk_rk_YKc-Michel 
-│   ├── id_ed25519_sk_rk_YKc-Michel +|-- id_ed25519_sk.pub -> keys/michel/id_ed25519_sk_rk_YKc-Michel.pub 
-│   └── id_ed25519_sk_rk_YKc-Michel.pub +|-- id_rsa -> keys/michel/id_rsa_Michel-fallback 
-├── nsas +|-- id_rsa.pub -> keys/michel/id_rsa_Michel-fallback.pub 
-│   ├── id_ecdsa_sk-NSAS +|-- keys 
-│   ├── id_ecdsa_sk-NSAS.pub +|   |-- hollandpark 
-│   ├── id_ed25519_sk_rk_YKc_NSAS +|     |-- id_ed25519 
-│   └── id_ed25519_sk_rk_YKc_NSAS.pub +|     |-- id_ed25519.pub 
-├── old +|     |-- id_ed25519_sk-YKc-Automation-Hollandpark 
-│   ├── id_ecdsa_sk +|     `-- id_ed25519_sk-YKc-Automation-Hollandpark.pub 
-│   └── id_ecdsa_sk.pub +|   |-- josephs 
-├── schraubenscholz +|     |-- id_ed25519_sk-YKc-Automation-Josepfs 
-├── sockets +|     `-- id_ed25519_sk-YKc-Automation-Josepfs.pub 
-│   └── michel@10.0.3.13:22 +|   |-- michel 
-├── swissbit +|     |-- id_ecdsa_sk-ndc_YKa-Michel 
-│   ├── id_ecdsa_sk-swissbit +|     |-- id_ecdsa_sk-ndc_YKa-Michel.pub 
-│   └── id_ecdsa_sk-swissbit.pub +|     |-- id_ed25519-Michel-automation 
-└── test +|     |-- id_ed25519-Michel-automation.pub 
- +|     |-- id_ed25519_sk-ndc_YKc-Michel 
-10 directories, 27 files+|     |-- id_ed25519_sk-ndc_YKc-Michel.pub 
 +|     |-- id_ed25519_sk-rk_YKc-Michel-automation 
 +|     |-- id_ed25519_sk-rk_YKc-Michel-automation.pub 
 +|     |-- id_ed25519_sk_rk_YKc-Michel 
 +|     |-- id_ed25519_sk_rk_YKc-Michel.pub 
 +|     |-- id_rsa_Michel-fallback 
 +|     `-- id_rsa_Michel-fallback.pub 
 +|   |-- nsas 
 +|     |-- id_ecdsa_sk-NSAS 
 +|     |-- id_ecdsa_sk-NSAS.pub 
 +|     |-- id_ed25519_sk_rk_YKc_NSAS 
 +|     `-- id_ed25519_sk_rk_YKc_NSAS.pub 
 +|   |-- old 
 +|     |-- id_ecdsa_sk 
 +|     |-- id_ecdsa_sk-NSAS 
 +|     |-- id_ecdsa_sk-NSAS.pub 
 +|     |-- id_ecdsa_sk-swissbit 
 +|     |-- id_ecdsa_sk-swissbit.pub 
 +|     |-- id_ecdsa_sk.pub 
 +|     |-- id_ed25519 
 +|     |-- id_ed25519.pub 
 +|     |-- id_ed25519_nsas 
 +|     `-- id_ed25519_nsas.pub 
 +|   |-- schraubenscholz 
 +|     |-- id_ed25519_sk-YKc-Automation-Scholz 
 +|     `-- id_ed25519_sk-YKc-Automation-Scholz.pub 
 +|   |-- swissbit 
 +|     |-- id_ecdsa_sk-swissbit 
 +|     `-- id_ecdsa_sk-swissbit.pub 
 +|   `-- xecuro 
 +|       |-- id_ed25519_sk_rk_YKc-xecuro 
 +|       `-- id_ed25519_sk_rk_YKc-xecuro.pub 
 +|-- known_hosts 
 +|-- known_hosts.old 
 +|-- old 
 +|   |-- known_hosts 
 +|   `-- known_hosts.old 
 +|-- scripts 
 +|   `-- sshfpgen 
 +|-- sockets 
 +`-- test
 </code> </code>
 +
 +<file plain ~/.ssh/config>
 +#=======================================================================
 +# Global
 +#=======================================================================
 +include ~/.ssh/conf.d/nsas.conf
 +include ~/.ssh/conf.d/hetzner.conf
 +include ~/.ssh/conf.d/hollandpark.conf
 +include ~/.ssh/conf.d/swissbit.conf
 +include ~/.ssh/conf.d/other.conf
 +#=======================================================================
 +# Global
 +#=======================================================================
 +Host *
 +    LogLevel QUIET
 +    ControlMaster auto
 +    ControlPath ~/.ssh/sockets/%r@%h:%p # automatically add ssh keys to running ssh agent (mkdir -p ~/.ssh/sockets)
 +    ControlPersist yes # keep connections open indefinitely, even after logging out
 +    ForwardAgent yes        # ssh -A host # on the command line
 +    VerifyHostKeyDNS no # Specifies whether to verify the remote key using DNS and SSHFP
 +    AddKeysToAgent yes
 +    TCPKeepAlive yes
 +    Compression yes
 +    StrictHostKeyChecking no
 +    VersionAddendum none
 +    UpdateHostKeys yes
 +    # IdentitiesOnly yes
 +    PreferredAuthentications publickey,password
 +    # HostKeyAlgorithms +ssh-rsa
 +    # PubkeyAcceptedKeyTypes +ssh-rsa
 +    # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
 +    HashKnownHosts yes
 +    # Host keys the client accepts - order here is honored by OpenSSH
 +    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
 +    KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 +    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 +    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 +</file>
  
 ===Generating key with a yubikey=== ===Generating key with a yubikey===
Line 56: Line 134:
 <code>ssh-keygen -t ed25519-sk -O resident -O application=ssh:YKc-Automation-Michel -O user=michel -O no-touch-required -C "Michel Pelzer (Automation)- mp@nsas.de"</code> <code>ssh-keygen -t ed25519-sk -O resident -O application=ssh:YKc-Automation-Michel -O user=michel -O no-touch-required -C "Michel Pelzer (Automation)- mp@nsas.de"</code>
 This key requires the presens of the Yubikey, but does not need to be touched. (authorized_keys) need the __no-touch-required__ in front of the public key. This key requires the presens of the Yubikey, but does not need to be touched. (authorized_keys) need the __no-touch-required__ in front of the public key.
 +
 +<file plain ~/.ssh/authorized_keys></file>
  
 <file plain ~/.ssh/authorized_keys> <file plain ~/.ssh/authorized_keys>
-no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEawzv7L8w9eetH03oc8XHuc02gX/MCmr3sUDHH8opKVAAAAGXNzaDpZS2MtQXV0b21hdGlvbi1NaWNoZWw=+# Michel 
 +no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEawzv7L8w9eetH03oc8XHuc02gX/MCmr3sUDHH8opKVAAAAGXNzaDpZS2MtQXV0b21hdGlvbi1NaWNoZWw= Michel Pelzer (Automation)- mp@nsas.de 
 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEvFa/NonVUOvoRRsx151bAJxjgckXC3sLqUb/kdQP9TAAAADnNzaDpZS2MtTWljaGVs Michel Pelzer - mp@nsas.de 
 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ2Za0UMRtm+LwEGEmug1QNoBEoV/0xDmCRpAXqsqNfXAAAADnNzaDpZS2MtTWljaGVs Michel Pelzer - mp@nsas.de 
 +# NSAS 
 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDp7SK9FxZJUQW+jz2ciChN7SwT6SdmovhLUlBLzhIkRAAAADHNzaDpZS2MtTlNBUw== NSAS - Network System Access Solutions 
 +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPneb67QG6/Z2BdcCBvZgiXVejD4ZGAAxgEoCx2aSbbegqSj1rSW9m2jkdRnwrQix//JfblvLOG/pXXQZJzPkHcAAAAEc3NoOg== NSAS-U2F
 </file> </file>
  
 +=== Hollandpark ===
 <file plain ~/.ssh/authorized_keys> <file plain ~/.ssh/authorized_keys>
-no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEawzv7L8w9eetH03oc8XHuc02gX/MCmr3sUDHH8opKVAAAAGXNzaDpZS2MtQXV0b21hdGlvbi1NaWNoZWw=+no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPqR3iKb9jw9IGHXXFBSPhgVVTy4tUYaQcdYmSFXjuPSAAAAFnNzaDphdXRvbWF0aW9uLm5zYXMuZGU= Michel 
 +no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILgcVrlj1obmOQVHS29DlJttRuKovDbyjzeWjPBgtd0pAAAAEnNzaDpZS2MtS29lbmlnLW5kYw== Danny 
 +no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJtU9G6KM0eWrNBdzuCoFyhPMRsdXHwIzbLyqQIMLwtnAAAAEHNzaDpZS2MtYmFuay1uZGM= Bank 
 +no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIkqDyKEdyAFTL6M9J8/xjMn6MqUzxuw3r7y79Q8DMGHAAAAEHNzaDpZS2MtVGhlby1uZGMTheo
 </file> </file>
 +
  
 ===Listing key on a Yubikey=== ===Listing key on a Yubikey===
Line 76: Line 167:
 List <code>ykman --reader yubico oath accounts</code> List <code>ykman --reader yubico oath accounts</code>
 Add <code>ykman --reader yubico oath accounts add "NAME"</code> Add <code>ykman --reader yubico oath accounts add "NAME"</code>
 +
 +===FIDO2===
 +Set Pin<code>ykman fido access change-pin --new-pin 511111</code>
 +Change Pin <code>ykman fido access change-pin --pin 123456 --new-pin 511111</code>
  
/dokuwiki/data/attic/wiki/yubikey.1686218395.txt.gz · Last modified: 2023/06/08 09:59 by michel

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Valid HTML5 Valid CSS Driven by DokuWiki