Yubikey NEO: OSX ssh smart card authentication
Hardware
YubiKey NEO
Only the NEO has the smart card functionality right now.
enable CCID
install YubiKey NEO Manager
run the YubiKey NEO Manager
change connection mode
set OTP + CCID
unplug yubikey and plug it back in
create key
install gpgtools (gnupg was not able to create the keys)
default admin-pin (PUK) = 12345678
default pin = 123456
gpg –card-edit
> admin > generate enter admin-pin and pin never expires enter name, email and comment enter passphrase
export public key
gpg –card-status | grep “Signature key”
gpg –armor –export XXXXXXXX (8 last digits from signature key)
show public ssh key
gpg-agent –enable-ssh-support –daemon ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx cardno:000000000001 (RSA)
gpg-agent –enable-ssh-support –daemon ssh-add -L
ssh-add AAAA[...your.key...] cardno:000000000001 \\
gpgkey2ssh XXXXXX > ~/.ssh/smartcard.pub
vi ~/.ssh/smartcard.pub
change COMMENT at the end of line to a description
gpg-agent configuration
vi ~/.gnupg/gpg-agent.conf
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac enable-ssh-support write-env-file use-standard-socket default-cache-ttl 600 max-cache-ttl 7200
pkill gpg-agent
use gpg-agent
get socket:
gpg-connect-agent “getinfo ssh_socket_name” /bye
set socket:
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Install ssh key on remote host
your ssh public key is already prepared and stored in ~/.ssh/smartcard.pub
to use it you can add it to ~/.ssh/authorized_keys on the remote host
to use ssh-copy-id you need to create an empty “private key”
touch ~/.ssh/smartcard
ssh-copy-id -i ~/.ssh/smartcard.pub remotehostname
test
ssh servername
it should ask you for the pin and establish an ssh connection without asking for a password
change pin
gpg –change-pin