...
- Yubikey Smartcard Setup via Windows CA-issued Certificate (Yubikey Manager) - ITS Operations - RIT Wiki
OR - Yubikey Smartcard Setup via Self-Signed Certificate (Yubikey Manager)
Certificate should be attested and pushed to intended servers via Yubikey Attestation Verification - Linux
OpenSC packages and/or libraries
Code Block <insert package manager> install opensc
Setup
Install Software
...
Setup
Install Software
Once a Smartcard has been setup and configured:
Install OpenSC package for your distribution
Example for Fedora:Code Block $ dnf -y install opensc
Note dnf is specific to RHEL derivatives. Your package manager may be different, ala apt, pacman, pkg, etc, etc.
Usage
OpenSC
After the OpenSC software is installed, you'll need to find the full path to the library file, opensc-pkcs11.so.
This will usually be located in one of the following directories:Code Block /usr/local/lib /usr/local/lib64 /usr/lib /usr/lib64
- Most OS's will already have some form of ssh-agent running. If not, start ssh-agent.
Add your certificate to ssh-agent, by running the following command. It will prompt you for your PIN.
Code Block $ ssh-add -s /usr/lib64/opensc-pkcs11.so Enter passphrase for PKCS#11:
When successful, you will see the following message and will be able to verify with the following command(s).
Code Block Card added: /usr/lib64/opensc-pkcs11.so $ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1tm0mikWaHIfhb055vy3cYIl9azAqWVKjoAAouBsU61FgJ+edt7RinkY6GTPZf07pATlLzYY3+FOQIh5MRkAhmMp2fi0/YZgFmMBKkGy84OFLvmczp+lb8b/LPIu2qLVaCumoksdDNT8z29e99PZMh0XhXzSh+cIWujGn4gEFFjlJn03OWxs7IRBaBz32uLCfV6wQeZtPWQiodvhNo39GK/XXrPIbiRbC2NEfCUxSo+493TKIISORLYAibLdlKPVIHHU9+1ZknbOeFXpMADi0z4LYhrRN9BRfdFfheInMQlVk2hqUD9SMWWgMkIiiK/y1IsBVqjkfiDe8AVbmDDvd /usr/lib64/opensc-pkcs11.so---$ ssh-add -l 2048 SHA256:MSOJ3pXOzF1eLmAwvII7VSNzCJNGq2viE4kwFyUQQHM /usr/lib64/opensc-pkcs11.so (RSA)
Note title OpenSSH 8.0p1 -L Lists public key parameters of all identities currently represented by the agent.
-l Lists fingerprints of all identities currently represented by the agent.Now to use the certificate, you will need to forward the agent connection to the remote host. This is done with the -A switch for ssh command.
Once logged in, you should be able to run the ssh-add command to verify the remote host is able to see your certificate.Code Block $ ssh -A mgmt.rit.edu --- (mgmt)$ ssh-add -l 2048 SHA256:MSOJ3pXOzF1eLmAwvII7VSNzCJNGq2viE4kwFyUQQHM /usr/lib64/opensc-pkcs11.so (RSA)
Note title OpenSSH 8.0p1 -A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
OR
Another option is to modify your local ssh config in ~/.ssh/config:Code Block Host * ForwardAgent yes