Frequently Asked Question
You will need...
1. A Machine with Ubuntu 18.04 LTS
2. A 5th gen Yubikey
Step 1. Install the OpenSC agent
sudo apt-get install opensc
Step 2. Add the repository for the Yubico Software
sudo apt-add-repository ppa:yubico/stable
Step 3. Install the PIV tool which we will later use to provision the Yubikey
sudo apt-get install yubico-piv-tool
Step 4. Use the PIV tool to change the pin from the default '123456' to a pin of your choice. "Pins" are not limited to numbers. You can use a secure password to increase security.
yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere
Step 5. Generate a certificate
yubico-piv-tool -s 9a -a generate --touch-policy=always -o public.pem
Step 6. Self-sign the certificate
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \ -S "/CN=SSH key/" -i public.pem -o cert.pem
Ensure you touch the Yubikey after running this command to release the key
Step 7. Import the self-signed certificate
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
Step 8. Display the SSH Public key to be stored in the authorized_keys file on remote servers
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
****
sudo apt-get install opensc
sudo apt-add-repository ppa:yubico/stable
sudo apt-get install yubico-piv-tool
yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so
ssh -I $OPENSC_LIBS/opensc-pkcs11.so user@remote.example.com
****
How to Delete a certificate from a slot
yubico-piv-tool -a verify-pin -P 123456 -a delete-certificate -s 9c
How to change the Pin
yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere
How to change the Puk
yubico-piv-tool -a change-puk -P 12345678 -N TheNewPinHere
OR
vi /etc/ssh/ssh_config
#For Ubuntu
PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#Get Key
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#For Ubuntu 32bit
PKCS11Provider /usr/lib/i386-linux-gnu/opensc-pkcs11.so
#For Arch
PKCS11Provider /usr/lib/opensc-pkcs11.so
#For Fedora
/usr/lib64/opensc-pkcs11.so
#### To Generate with touch policy on
yubico-piv-tool -s 9a -a generate --touch-policy=always -o public.pem
#### Change Number of retries
yubico-piv-tool -averify -P 123456 -apin-retries --pin-retries=30 --puk-retries=3
#### Change Pin Using the Puk
ykman piv unblock-pin -p 12345678 -n NewPinHere