Skip to content

Privileged Access (Yubikeys)

Privileged access using Yubikeys

yubico-piv-tool is needed initially to setup your yubico device. yubico-piv-tool is available with most Linux distributions. It is included in EPEL on RHEL systems. You can also download it using the below link.

https://developers.yubico.com/yubico-piv-tool/Releases/

    1\. **Change PIN**

The PIN must be between 6 and 8 characters long, and it can be any type of alphanumeric character.

The default PIN code is 123456. **It is important that the default PIN code is changed. ** 

yubico-piv-tool -a change-pin

2\. **Change PUK**

The PUK must be between 6 and 8 characters long, and it can be any type of alphanumeric character.

The default PUK code is 12345678. **It is important that the default PUK code is changed. **

yubico-piv-tool -a change-puk

3\. **Change Management Key**

The default management key is 010203040506070801020304050607080102030405060708.

key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)
echo ${key}
yubico-piv-tool -aset-mgm-key -k

4\. **Generate Keys**


yubico-piv-tool -a generate -a verify-pin -a selfsign -a import-certificate -s 9a -k -A RSA2048 --valid-days=3650 -S "/CN=piv_auth/OU=yubikey/O=bnl.gov/" --pin-policy="once"

5\. **Export SSH public key
**


yubico-piv-tool --action=read-certificate --slot=9a --key-format=SSH

6\. **Export Attestation Certificate**


yubico-piv-tool --action=attest --slot=9a

7\. **Export Signing Certificate
**


yubico-piv-tool --action=read-certificate --slot=f9

**Please send output of Step 5 , 6 and 7 to gateway admins. **

To Authenticate

**On Unix based systems - **

Authenticate to the target system using the new key:

ssh -I XXX/libykcs11.so user@remote.example.com

This can also be set up to work with ssh-agent:

ssh-add -s XXX/libykcs11.so

**On Windows systems use Putty-cac binaries, see below link. **

https://github.com/NoMoreFood/putty-cac/tree/master/binaries

Putty - > Connection -> SSH -> Certificate -> Set Capi Cert

Useful links

https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

https://developers.yubico.com/PIV/Introduction/Admin_access.html