Frequently Asked Question

How to Setup a Yubikey for SSH on Linux
Last Updated 2 years ago

You will need...
1. A Machine with Ubuntu 18.04 LTS
2. A 5th gen Yubikey

Step 1. Install the OpenSC agent

sudo apt-get install opensc


Step 2. Add the repository for the Yubico Software

sudo apt-add-repository ppa:yubico/stable


Step 3. Install the PIV tool which we will later use to provision the Yubikey

sudo apt-get install yubico-piv-tool


Step 4. Use the PIV tool to change the pin from the default '123456' to a pin of your choice. "Pins" are not limited to numbers. You can use a secure password to increase security.

yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere


Step 5. Generate a certificate

yubico-piv-tool -s 9a -a generate --touch-policy=always -o public.pem


Step 6. Self-sign the certificate

yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem


Ensure you touch the Yubikey after running this command to release the key

Step 7. Import the self-signed certificate

yubico-piv-tool -a import-certificate -s 9a -i cert.pem


Step 8. Display the SSH Public key to be stored in the authorized_keys file on remote servers

ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so




****
sudo apt-get install opensc

sudo apt-add-repository ppa:yubico/stable

sudo apt-get install yubico-piv-tool

yubico-piv-tool -s 9a -a generate -o public.pem

yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
-S "/CN=SSH key/" -i public.pem -o cert.pem

yubico-piv-tool -a import-certificate -s 9a -i cert.pem

ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so


ssh -I $OPENSC_LIBS/opensc-pkcs11.so user@remote.example.com

****



How to Delete a certificate from a slot
yubico-piv-tool -a verify-pin -P 123456 -a delete-certificate -s 9c

How to change the Pin
yubico-piv-tool -a change-pin -P 123456 -N TheNewPinHere


How to change the Puk
yubico-piv-tool -a change-puk -P 12345678 -N TheNewPinHere


OR

vi /etc/ssh/ssh_config

#For Ubuntu
PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

#Get Key

ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so



#For Ubuntu 32bit

PKCS11Provider /usr/lib/i386-linux-gnu/opensc-pkcs11.so



#For Arch

PKCS11Provider /usr/lib/opensc-pkcs11.so

#For Fedora
/usr/lib64/opensc-pkcs11.so


#### To Generate with touch policy on

yubico-piv-tool -s 9a -a generate --touch-policy=always -o public.pem

#### Change Number of retries
yubico-piv-tool -averify -P 123456 -apin-retries --pin-retries=30 --puk-retries=3

#### Change Pin Using the Puk

ykman piv unblock-pin -p 12345678 -n NewPinHere

Please Wait!

Please wait... it will take a second!