Yubikey - on OpenBSD

Page content

Running YubiKey on OpenBSD

buy a Key and give try …

Source

https://www.yubico.com/

Install Software

pkg_add yubikey-manager-3.1.2p4
pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.

PC/SC Smart Card Daemon

rcctl enable pcscd
rcclt start pcscd

Attack Key

you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)

dmesg
uhidev1 at uhub0 port 3 configuration 1 interface 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.43 addr 2
uhidev1: iclass 3/0
fido0 at uhidev1: input=64, output=64, feature=0
ugen0 at uhub0 port 3 configuration 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.43 addr 2

List Keys

ykman list 
ykman list 
YubiKey 5 [OTP+FIDO+CCID]

Genereate Key

ssh-keygen -t ed25519-sk
ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
You may need to touch your authenticator again to authorize key generation.
Enter file in which to save the key (/root/.ssh/id_ed25519_sk): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ed25519_sk
Your public key has been saved in /root/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:NJQT9WrQ+D3DU2xbF2vFOfBAXKMoelOHxEkP/wb23+w [email protected]
The key's randomart image is:
+[ED25519-SK 256]-+
|        o+++++o=o|
|       .oo.+*o+o*|
|        =o.+.B+++|
|       ..+o+oo=o.|
|       .So+ * .+ |
|        ...  +..o|
|                +|
|               . |
|                E|
+----[SHA256]-----+

Login with ssh-key & yubikey

[email protected]# ssh -i id_ed25519_sk [email protected]
Enter passphrase for key 'id_ed25519_sk': 
Confirm user presence for key ED25519-SK SHA256:NJQT9WrQ+D3DU2xbF2vFOfBAXKMoelOHxEkP/wb23+w

User presence confirmed     <<<< ***** here you need to press the button on your yubikey *****

[email protected]#

ykinfo

get some Information about your Key

ykinfo -a 
ykinfo -a 
serial: 18xxxxxx
serial_hex: 01xxxxxx
serial_modhex: cbxxxxxx
version: 5.4.3
touch_level: 1285
programming_sequence: 1
slot1_status: 1
slot2_status: 0
vendor_id: 1050
product_id: 407

Summary

You have now a private/public Keypair which physically remains on your Harddisk, same as without YubiKey. But his Key does not work without the Yubikey inserted.

As you may can imagine, you should NOT loose the Yubikey, as there is no possibility to Backup/Restore a lost Device. Better, you use a Backup Yubikey, give them the same Persmission, and store the 2nd Key on a Secure Place.

Happy SSH !

sha256: 3cb3e1b71698b03eea9e2951146d49a938366a971a33093022d6c72d1e27f724