Yubikey NEO: OSX ssh smart card authentication

 Hardware

YubiKey NEO
Only the NEO has the smart card functionality right now.

enable CCID

install YubiKey NEO Manager
run the YubiKey NEO Manager
change connection mode
set OTP + CCID
unplug yubikey and plug it back in

create key

install gpgtools (gnupg was not able to create the keys)
default admin-pin (PUK) = 12345678
default pin = 123456
gpg –card-edit

> admin
> generate
  enter admin-pin and pin
  never expires
  enter name, email and comment
  enter passphrase

export public key

gpg –card-status | grep “Signature key”
gpg –armor –export XXXXXXXX (8 last digits from signature key)

show public ssh key

gpg-agent –enable-ssh-support –daemon ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx cardno:000000000001 (RSA)
gpg-agent –enable-ssh-support –daemon ssh-add -L

 ssh-add AAAA[...your.key...] cardno:000000000001 \\

gpgkey2ssh XXXXXX > ~/.ssh/smartcard.pub
vi ~/.ssh/smartcard.pub
change COMMENT at the end of line to a description

gpg-agent configuration

vi ~/.gnupg/gpg-agent.conf

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

pkill gpg-agent

use gpg-agent

get socket:
gpg-connect-agent “getinfo ssh_socket_name” /bye
set socket:
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

Install ssh key on remote host

your ssh public key is already prepared and stored in ~/.ssh/smartcard.pub
to use it you can add it to ~/.ssh/authorized_keys on the remote host
to use ssh-copy-id you need to create an empty “private key”
touch ~/.ssh/smartcard
ssh-copy-id -i ~/.ssh/smartcard.pub remotehostname

test

ssh servername
it should ask you for the pin and establish an ssh connection without asking for a password

change pin

gpg –change-pin

Tagged , , ,