From f8c51df272eecd89a3f437c4a4c8e1261f0e5538 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Tue, 1 Mar 2022 22:36:50 +0000 Subject: [PATCH 01/15] docs(yubi): :memo: Start yubikey example Add links Add ssh server example Updates to yubi key examples Update yubikey example Start adding a subkeys example Bit more on yubi and ssh examples Add some links --- 08_ssh/README.md | 7 +- 08_ssh/SSH_CERTIFICATES.md | 103 +++++++++++++++ 08_ssh/docker-compose.yaml | 30 +++++ 08_ssh/ssh_server/.gitignore | 1 + 08_ssh/ssh_server/Dockerfile.ca | 52 ++++++++ 08_ssh/ssh_server/Dockerfile.server | 65 +++++++++ 19_yubi/README.md | 191 +++++++++++++++++++++++++++ 19_yubi/SUBKEYS.md | 116 ++++++++++++++++ 19_yubi/docker-compose.yaml | 25 ++++ 19_yubi/ssh_server/.gitignore | 1 + 19_yubi/ssh_server/Dockerfile.server | 65 +++++++++ 11 files changed, 654 insertions(+), 2 deletions(-) create mode 100644 08_ssh/SSH_CERTIFICATES.md create mode 100644 08_ssh/docker-compose.yaml create mode 100644 08_ssh/ssh_server/.gitignore create mode 100644 08_ssh/ssh_server/Dockerfile.ca create mode 100644 08_ssh/ssh_server/Dockerfile.server create mode 100644 19_yubi/README.md create mode 100644 19_yubi/SUBKEYS.md create mode 100644 19_yubi/docker-compose.yaml create mode 100644 19_yubi/ssh_server/.gitignore create mode 100644 19_yubi/ssh_server/Dockerfile.server diff --git a/08_ssh/README.md b/08_ssh/README.md index 9687867..aef1ce5 100644 --- a/08_ssh/README.md +++ b/08_ssh/README.md @@ -1,6 +1,6 @@ # README -Demonstrates how to configure and use ssh +Demonstrates how to configure and use ssh with keys. ## Table of contents @@ -25,6 +25,8 @@ TODO: Goto [WINDOWS.md](./WINDOWS.md) +Ref: [39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) + ## Install ```sh @@ -84,6 +86,7 @@ ssh-add # list loaded keys ssh-add -l +# list details on ssh-agent ssh-agent # remove all the keys (when rotating) @@ -133,6 +136,6 @@ scp -i ./.vagrant/machines/default/virtualbox/private_key -o StrictHostKeyChecki ## Resources * man ssh_config(5) [here](http://www.manpagez.com/man/5/ssh_config/) -* Generating a new SSH key and adding it to the ssh-agent[here]](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) +* Generating a new SSH key and adding it to the ssh-agent[here](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) * SSH CHEATSHEET [here](https://cheatsheet.dennyzhang.com/cheatsheet-ssh-a4) * `cheatsheet ssh` diff --git a/08_ssh/SSH_CERTIFICATES.md b/08_ssh/SSH_CERTIFICATES.md new file mode 100644 index 0000000..238404a --- /dev/null +++ b/08_ssh/SSH_CERTIFICATES.md @@ -0,0 +1,103 @@ +# SSH CERTIFICATES + +Demonstrate how to use a SSH certificates rather than keys. + +## Reason + +Keys never expire. Neither users nor hosts are forced to refresh their keys. + +### Run example + +The `nginx` container is not available on the network. We use the `ssh` server to allow access. + +```sh +# create keys +mkdir -p ./ssh_server/keys +ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 +ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa +``` + +Start the containers. + +```sh +# start server +docker compose up -d --build --force-recreate + +# quick test +docker compose logs internalnginx +docker compose logs sshserver +docker compose logs caserver +``` + +### Configure Certificate Authority + +```sh +docker compose exec -it caserver /bin/bash + + + + +``` + + +SSH to get access to `nginx`. + +```sh +# ssh onto server +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +# curl against the nginx container +curl 172.16.238.64:80 +``` + +### 🧼 Cleanup + +```sh +# bring it down and delete the volume +docker compose down +``` + +### Debugging and troubleshooting + +```sh +docker compose exec -it sshserver /bin/bash + +# start ssh +rsyslogd +service ssh start +nano /etc/ssh/sshd_config +service ssh restart + +passwd +cat /root/.ssh/authorized_keys +cat /var/log/auth.log + +#PasswordAuthentication yes +#PermitEmptyPasswords yes +#PermitRootLogin without-password + +# open connections (only rsa seems to work) +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +``` + + +## Resources + +https://www.devseccon.com/blog/3-reasons-to-use-ssh-certificates-instead-of-ssh-keys-secadvent-day-22 + + +https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39 + +- If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) + + +https://www.reddit.com/r/devops/comments/s1zzz1/what_is_the_best_way_to_manage_ssh_identities_and/ + + +- Facebook: Scalable and secure access with SSH [here](https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/) + + + + +/Users/chris.guest/Code/scratch/docker_build_examples/40_ssl_nginx + diff --git a/08_ssh/docker-compose.yaml b/08_ssh/docker-compose.yaml new file mode 100644 index 0000000..6269407 --- /dev/null +++ b/08_ssh/docker-compose.yaml @@ -0,0 +1,30 @@ +services: + internalnginx: + image: nginx:1.21.1 + networks: + app_private_network: + ipv4_address: 172.16.238.64 + + sshserver: + build: + context: ./ssh_server + dockerfile: ./Dockerfile.server + ports: + - 2822:22 + networks: + app_private_network: + ipv4_address: 172.16.238.3 + + caserver: + build: + context: ./ssh_server + dockerfile: ./Dockerfile.ca + +networks: + app_private_network: + ipam: + driver: default + config: + - subnet: "172.16.238.0/24" + + diff --git a/08_ssh/ssh_server/.gitignore b/08_ssh/ssh_server/.gitignore new file mode 100644 index 0000000..0bdfd49 --- /dev/null +++ b/08_ssh/ssh_server/.gitignore @@ -0,0 +1 @@ +keys diff --git a/08_ssh/ssh_server/Dockerfile.ca b/08_ssh/ssh_server/Dockerfile.ca new file mode 100644 index 0000000..4ad517e --- /dev/null +++ b/08_ssh/ssh_server/Dockerfile.ca @@ -0,0 +1,52 @@ +# syntax=docker/dockerfile:1.4 +FROM ubuntu:20.04 + +RUN apt-get update && apt-get install --no-install-recommends \ + rsyslog \ + openssh-server \ + nano \ + curl \ + lsof \ + iproute2 nmap \ + iputils-ping -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /scratch + +# NOTE: Escape the \$ otherwise they are rendered at buildtime +COPY --chmod=755 < /root/.ssh/authorized_keys +cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys +EOF + +RUN /bin/preparekeys.sh + +RUN chown -R root /root/.ssh/authorized_keys +RUN chmod 644 /root/.ssh/authorized_keys + +CMD [ "/bin/bash", "-c", "/bin/hold.sh" ] \ No newline at end of file diff --git a/19_yubi/README.md b/19_yubi/README.md new file mode 100644 index 0000000..3c15692 --- /dev/null +++ b/19_yubi/README.md @@ -0,0 +1,191 @@ +# README + +Demonstrate how to use `yubikey`. + +## Reason + +Yubikey offers a lot of support for different auth protocols and certificates. + +TERMINOLOGY: + +- FIDO2 - Fast Identity Online (FIDO) [fidoalliance.org](https://fidoalliance.org/fido2/) +- OTP - [One-time password](https://en.wikipedia.org/wiki/One-time_password) +- PIV - Personal Identity Verification +- WebAuthn - [WebAuthn Introduction](https://developers.yubico.com/WebAuthn) +- PKCS - Public Key Cryptography Standards + +TODO: + +- Create an SSH server in docker and use ssh key on yubikey +- Check out the attestation. +- Using kms as a root key +- titan keys? +https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB +- https://github.com/ixydo/gpg-smartcard-automation +https://github.com/ixydo/gpg-smartcard-automation +Yubikey provisioning +https://github.com/santiago-mooser/yubikey-provisioning-scripts + + +## Tools + +Details about the tools [here](https://developers.yubico.com/PIV/Tools.html) + +```sh +brew info ykman + +# install them +brew install ykman +brew install yubico-piv-tool + +# time of writing - YubiKey Manager (ykman) version: 5.0.0 +ykman --version +# time of writing - yubico-piv-tool 2.3.0 +yubico-piv-tool --version + +# list devices +ykman list + +# list details +ykman info + +# gpg can show details on the card +gpg --card-status +``` + +Go get the GUI manager from [website](https://www.yubico.com/support/download/yubikey-manager/) + +## Resetting PIN + +The default PIN code is `123456`. The default PUK code is `12345678`. + +The default 3DES management key (9B) is `010203040506070801020304050607080102030405060708`. + +Technical details about the YubiKey PIV implementation can be found [here](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html) + +Change the pins PIN and PUK + +## Generate keys + +NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) + +```sh +ykman piv --help + +yubico-piv-tool -s 9a -a generate -k --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o public.pem +``` + +Getting Started: SSH Authentication with a YubiKey as a Smart Card + [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) + +https://eta.st/2021/03/06/yubikey-5-piv.html + +yubikey agent https://github.com/FiloSottile/yubikey-agent + +RSA 4096 bit keys on yubikey +https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl + +https://github.com/OpenSC/OpenSC/wiki +https://developers.yubico.com/yubico-piv-tool/ + + +https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration + +https://www.securew2.com/blog/yubikey-certificate-attestation/ + +https://smallstep.com/blog/use-ssh-certificates/ + +https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html + + + +## SSH + +Do I need a master key to get SSH PIV working? + +https://developers.yubico.com/PGP/ + + + + +Ref: [08_SSH/README.md](../08_SSH/README.md) +Ref: [39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) + +### Run example + +The `nginx` container is not available on the network. We use the `ssh` server to allow access. + +```sh +# create keys +mkdir -p ./ssh_server/keys +ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 +ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa +``` + +Start the containers. + +```sh +# start server +docker compose up -d --build --force-recreate + +# quick test +docker compose logs internalnginx +docker compose logs sshserver +``` + +SSH to get access to `nginx`. + +```sh +# ssh onto server +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +# curl against the nginx container +curl 172.16.238.64:80 +``` + +### 🧼 Cleanup + +```sh +# bring it down and delete the volume +docker compose down +``` + +### Debugging and troubleshooting + +```sh +docker compose exec -it sshserver /bin/bash + +# start ssh +rsyslogd +service ssh start +nano /etc/ssh/sshd_config +service ssh restart + +passwd +cat /root/.ssh/authorized_keys +cat /var/log/auth.log + +#PasswordAuthentication yes +#PermitEmptyPasswords yes +#PermitRootLogin without-password + +# open connections (only rsa seems to work) +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +``` + +## Prereqs + +```sh +sudo apt install -y curl gnupg2 gnupg-agent cryptsetup scdaemon pcscd +``` + +```sh +lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi +``` + +## Resources + +- YubiKey Manager - Cross-platform application for configuring any YubiKey over all USB interfaces. [here](https://www.yubico.com/support/download) +- https://developers.yubico.com/ +- https://fidoalliance.org/fido2/ +- https://zach.codes/ultimate-yubikey-setup-guide/ diff --git a/19_yubi/SUBKEYS.md b/19_yubi/SUBKEYS.md new file mode 100644 index 0000000..5dc5638 --- /dev/null +++ b/19_yubi/SUBKEYS.md @@ -0,0 +1,116 @@ +# README + +TODO: + +- signing versus encryption versus authentication +- create a master key on yubikey + + + +## Taxonomy + +- DSA - Digital Signature Algorithm. It should not be used anymore. +- RSA - Rivest–Shamir–Adleman +- ECDSA - Elliptic Curve Digital Signature Algorithm +- ED25519 - Edwards-Curve Digital Signature Algorithm (EdDSA) +- ELG-E - ElGamal encryption system +- eccp256 - 256bit curve +- eccp384 - 384bit curve +- PEM - (Privacy Enhanced Mail”) "-----BEGIN CERTIFICATE-----" +- DER (Distinguished Encoding Rules) - Binary Format +- PKCS - Public-Key Cryptography Standards +- PKCS#11 - Cryptographic Token Interface Standard - defines a platform-independent API to cryptographic tokens +- PKCS#12 - defines an archive file format for storing many cryptography objects as a single file. +- GPG - GNU Privacy Guard +- TOFU - Trust On First Use anti-pattern + +## Generate + +```sh +mkdir -p ./keys +ssh-keygen -o -a 100 -t ed25519 -f ./keys/id_ed25519 +ssh-keygen -o -a 100 -t rsa -f ./keys/id_rsa +``` + +## Decode + +```sh +openssl asn1parse -in ./keys/id_ed25519 +/usr/local/Cellar/openssl@3/3.0.5/bin/openssl asn1parse -strictpem -in ./keys/id_ed25519 --help +``` + +## Alice + +Build and run the container + +```sh +# Build +docker build -t alice -f Dockerfile.alice . + +# run alice +docker run -it --entrypoint /bin/sh alice +``` + +```sh +# Batch it instead of `gpg --full-generate-key` +# NOTE: passphrase +cat >key-settings < /root/.ssh/authorized_keys +cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys +EOF + +RUN /bin/preparekeys.sh + +RUN chown -R root /root/.ssh/authorized_keys +RUN chmod 644 /root/.ssh/authorized_keys + +CMD [ "/bin/bash", "-c", "/bin/hold.sh" ] \ No newline at end of file From 50c95402bc8803f06be62d4bb9239e16936789f2 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Fri, 29 Mar 2024 22:28:12 +0000 Subject: [PATCH 02/15] docs(yubi): :memo: Update docs for yubi keys --- 08_ssh/README.md | 4 ++-- 19_yubi/README.md | 49 ++++++++++++++++++++++++++++------------------ 19_yubi/SUBKEYS.md | 2 +- 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/08_ssh/README.md b/08_ssh/README.md index aef1ce5..0596fe8 100644 --- a/08_ssh/README.md +++ b/08_ssh/README.md @@ -2,6 +2,8 @@ Demonstrates how to configure and use ssh with keys. +Ref: [39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) + ## Table of contents - [README](#readme) @@ -25,8 +27,6 @@ TODO: Goto [WINDOWS.md](./WINDOWS.md) -Ref: [39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) - ## Install ```sh diff --git a/19_yubi/README.md b/19_yubi/README.md index 3c15692..9d93512 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -10,9 +10,9 @@ TERMINOLOGY: - FIDO2 - Fast Identity Online (FIDO) [fidoalliance.org](https://fidoalliance.org/fido2/) - OTP - [One-time password](https://en.wikipedia.org/wiki/One-time_password) -- PIV - Personal Identity Verification +- PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/) - WebAuthn - [WebAuthn Introduction](https://developers.yubico.com/WebAuthn) -- PKCS - Public Key Cryptography Standards +- PKCS - Public Key Cryptography Standards [PKCS#11](https://en.wikipedia.org/wiki/PKCS_11) TODO: @@ -22,27 +22,35 @@ TODO: - titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB - https://github.com/ixydo/gpg-smartcard-automation -https://github.com/ixydo/gpg-smartcard-automation Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts - ## Tools Details about the tools [here](https://developers.yubico.com/PIV/Tools.html) +* ykman - Configure your YubiKey via the command line. +* yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys +* gpg - OpenPGP encryption and signing tool + ```sh brew info ykman +brew info yubico-piv-tool # install them brew install ykman brew install yubico-piv-tool # time of writing - YubiKey Manager (ykman) version: 5.0.0 +# time of writing - YubiKey Manager (ykman) version: 5.4.0 ykman --version # time of writing - yubico-piv-tool 2.3.0 +# time of writing - yubico-piv-tool 2.4.2 yubico-piv-tool --version +# time of writing - gpg (GnuPG) 2.4.5 +gpg --version + # list devices ykman list @@ -55,7 +63,10 @@ gpg --card-status Go get the GUI manager from [website](https://www.yubico.com/support/download/yubikey-manager/) -## Resetting PIN +## Resetting PIN & PUK + +* PIN (Personal Identification Number) +* PUK (PIN Unblocking Key) The default PIN code is `123456`. The default PUK code is `12345678`. @@ -69,35 +80,32 @@ Change the pins PIN and PUK NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) +Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) + ```sh ykman piv --help yubico-piv-tool -s 9a -a generate -k --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o public.pem ``` -Getting Started: SSH Authentication with a YubiKey as a Smart Card - [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) - -https://eta.st/2021/03/06/yubikey-5-piv.html - -yubikey agent https://github.com/FiloSottile/yubikey-agent +* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) +* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html) +* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent) +* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl) +* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) -RSA 4096 bit keys on yubikey -https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl - -https://github.com/OpenSC/OpenSC/wiki -https://developers.yubico.com/yubico-piv-tool/ -https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration -https://www.securew2.com/blog/yubikey-certificate-attestation/ +* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) +* Yubikey Certificate Attestation Improved [here](https://www.securew2.com/blog/yubikey-certificate-attestation/) https://smallstep.com/blog/use-ssh-certificates/ https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html - +https://github.com/santiago-mooser/yubikey-provisioning-scripts +https://developers.yubico.com/yubico-piv-tool/ ## SSH @@ -189,3 +197,6 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi - https://developers.yubico.com/ - https://fidoalliance.org/fido2/ - https://zach.codes/ultimate-yubikey-setup-guide/ + + +- Yubico OTPs Explained [here](https://developers.yubico.com/OTP/OTPs_Explained.html) \ No newline at end of file diff --git a/19_yubi/SUBKEYS.md b/19_yubi/SUBKEYS.md index 5dc5638..e5676c1 100644 --- a/19_yubi/SUBKEYS.md +++ b/19_yubi/SUBKEYS.md @@ -5,7 +5,7 @@ TODO: - signing versus encryption versus authentication - create a master key on yubikey - +https://github.com/drduh/YubiKey-Guide#sub-keys ## Taxonomy From bda6cb034ed9eb2479d2d3c500840aecb31d0619 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 31 Mar 2024 19:43:58 +0100 Subject: [PATCH 03/15] docs(yubi): :memo: Still struggling getting it working. --- 19_yubi/PIV.md | 104 +++++++++++++++++++ 19_yubi/README.md | 141 +++++++------------------- 19_yubi/RESIDENT_KEYS.md | 30 ++++++ 19_yubi/SSH_CERTIFICATES.md | 81 +++++++++++++++ 19_yubi/docker-compose.yaml | 11 +- 19_yubi/ssh_server/.gitignore | 1 + 19_yubi/ssh_server/Dockerfile.yubissh | 67 ++++++++++++ 7 files changed, 327 insertions(+), 108 deletions(-) create mode 100644 19_yubi/PIV.md create mode 100644 19_yubi/RESIDENT_KEYS.md create mode 100644 19_yubi/SSH_CERTIFICATES.md create mode 100644 19_yubi/ssh_server/Dockerfile.yubissh diff --git a/19_yubi/PIV.md b/19_yubi/PIV.md new file mode 100644 index 0000000..8a755d0 --- /dev/null +++ b/19_yubi/PIV.md @@ -0,0 +1,104 @@ +# PIV + +PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/) + +## Generate keys + +NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) + +Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) + +```sh +ykman piv --help + +# requires managmment key (not pin) +yubico-piv-tool -s 9a -a generate -k --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o ./ssh_server/keys/public.pem + +yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i ./ssh_server/keys/public.pem -o ./ssh_server/keys/cert.pem + +# not working +yubico-piv-tool -s 9a -a import-key -i ./ssh_server/keys/id_ed25519 +``` + +## SSH + +Ref: [08_SSH/README.md](../08_SSH/README.md) +Ref: [chrisguest75/docker_examples/39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) + +### Run example + +The `nginx` container is not available on the network. We use the `ssh` server to allow access. + +```sh +# OpenSSH_8.6p1, LibreSSL 3.3.6 +ssh -V + +# create keys +mkdir -p ./ssh_server/keys +ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 +ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa +``` + +Start the containers. + +```sh +# start server +docker compose up -d --build --force-recreate + +# quick test +docker compose logs internalnginx +docker compose logs sshserver +``` + +SSH to get access to `nginx`. + +```sh +# ssh onto server +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +# once in ssh shell curl against the nginx container +curl 172.16.238.64:80 +``` + +### 🧼 Cleanup + +```sh +# bring it down and delete the volume +docker compose down +``` + +### Debugging and troubleshooting + +```sh +docker compose exec -it sshserver /bin/bash + +# start ssh +rsyslogd +service ssh start +nano /etc/ssh/sshd_config +service ssh restart + +passwd +cat /root/.ssh/authorized_keys +cat /var/log/auth.log + +#PasswordAuthentication yes +#PermitEmptyPasswords yes +#PermitRootLogin without-password + +# open connections +# Both work now - there was a time that only rsa seemed to work. +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +``` + +## Resources + +* https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html +* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) +* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html) +* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent) +* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl) +* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) +* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) +* Yubico PIV Tool [here](https://developers.yubico.com/yubico-piv-tool/) +* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) diff --git a/19_yubi/README.md b/19_yubi/README.md index 9d93512..0000e22 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -32,14 +32,22 @@ Details about the tools [here](https://developers.yubico.com/PIV/Tools.html) * ykman - Configure your YubiKey via the command line. * yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys * gpg - OpenPGP encryption and signing tool +* yubikey manager ui - [here](https://www.yubico.com/support/download/yubikey-manager/) ```sh brew info ykman brew info yubico-piv-tool +brew info yubico-yubikey-manager +brew info openssh # install them brew install ykman brew install yubico-piv-tool +brew install yubico-yubikey-manager +brew install openssh + +# NOTE: Apparently this is not required anymore +brew install opensc # time of writing - YubiKey Manager (ykman) version: 5.0.0 # time of writing - YubiKey Manager (ykman) version: 5.4.0 @@ -51,6 +59,9 @@ yubico-piv-tool --version # time of writing - gpg (GnuPG) 2.4.5 gpg --version +# OpenSSH_9.7p1, OpenSSL 3.2.1 30 Jan 2024 +$(brew --prefix openssh)/bin/ssh -V + # list devices ykman list @@ -59,126 +70,37 @@ ykman info # gpg can show details on the card gpg --card-status + +# show slots +yubico-piv-tool -a status ``` Go get the GUI manager from [website](https://www.yubico.com/support/download/yubikey-manager/) ## Resetting PIN & PUK +Accessing administrative functions. Containing list of operations [here](https://developers.yubico.com/PIV/Introduction/Admin_access.html) + * PIN (Personal Identification Number) * PUK (PIN Unblocking Key) -The default PIN code is `123456`. The default PUK code is `12345678`. +The default PIN code is `123456`. The default PUK code is `12345678`. -The default 3DES management key (9B) is `010203040506070801020304050607080102030405060708`. +The default 3DES management key (9B) is `010203040506070801020304050607080102030405060708`. Technical details about the YubiKey PIV implementation can be found [here](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html) -Change the pins PIN and PUK - -## Generate keys - -NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) - -Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) +Change the pins PIN and PUK ```sh -ykman piv --help - -yubico-piv-tool -s 9a -a generate -k --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o public.pem -``` - -* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) -* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html) -* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent) -* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl) -* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) - - - - -* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) -* Yubikey Certificate Attestation Improved [here](https://www.securew2.com/blog/yubikey-certificate-attestation/) - -https://smallstep.com/blog/use-ssh-certificates/ - -https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html - -https://github.com/santiago-mooser/yubikey-provisioning-scripts -https://developers.yubico.com/yubico-piv-tool/ - -## SSH - -Do I need a master key to get SSH PIV working? - -https://developers.yubico.com/PGP/ - - - - -Ref: [08_SSH/README.md](../08_SSH/README.md) -Ref: [39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) - -### Run example - -The `nginx` container is not available on the network. We use the `ssh` server to allow access. - -```sh -# create keys -mkdir -p ./ssh_server/keys -ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 -ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa -``` - -Start the containers. - -```sh -# start server -docker compose up -d --build --force-recreate - -# quick test -docker compose logs internalnginx -docker compose logs sshserver -``` - -SSH to get access to `nginx`. - -```sh -# ssh onto server -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 -# curl against the nginx container -curl 172.16.238.64:80 -``` - -### 🧼 Cleanup - -```sh -# bring it down and delete the volume -docker compose down -``` - -### Debugging and troubleshooting - -```sh -docker compose exec -it sshserver /bin/bash - -# start ssh -rsyslogd -service ssh start -nano /etc/ssh/sshd_config -service ssh restart - -passwd -cat /root/.ssh/authorized_keys -cat /var/log/auth.log - -#PasswordAuthentication yes -#PermitEmptyPasswords yes -#PermitRootLogin without-password - -# open connections (only rsa seems to work) -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +# generate random key +key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` +echo $key +yubico-piv-tool -a set-mgm-key -n $key --key 010203040506070801020304050607080102030405060708 + +# pins +yubico-piv-tool -a change-pin -P 123456 -N 123456 +yubico-piv-tool -a change-puk -P 12345678 -N 12345678 ``` ## Prereqs @@ -197,6 +119,11 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi - https://developers.yubico.com/ - https://fidoalliance.org/fido2/ - https://zach.codes/ultimate-yubikey-setup-guide/ +- Yubico OTPs Explained [here](https://developers.yubico.com/OTP/OTPs_Explained.html) +* Yubikey Certificate Attestation Improved [here](https://www.securew2.com/blog/yubikey-certificate-attestation/) +* https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html +* https://github.com/santiago-mooser/yubikey-provisioning-scripts +* Do I need a master key to get SSH PIV working? https://developers.yubico.com/PGP/ +* https://ruimarinho.gitbooks.io/yubikey-handbook/content/ +* https://github.com/jamesog/yubikey-ssh - -- Yubico OTPs Explained [here](https://developers.yubico.com/OTP/OTPs_Explained.html) \ No newline at end of file diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md new file mode 100644 index 0000000..8a05434 --- /dev/null +++ b/19_yubi/RESIDENT_KEYS.md @@ -0,0 +1,30 @@ +# RESIDENT KEYS + +NOTES: + +* Requires brews OpenSSL as Apple compile with --disable-security-key + +```sh +# OpenSSH_8.6p1, LibreSSL 3.3.6 +ssh -V + +export PATH=$(brew --prefix openssh)/bin:$PATH + +# openssh needs to be installed from brew +ssh-keygen --help +$(brew --prefix openssh)/bin/ssh-keygen --help + +mkdir -p ./ssh_server/residentkeys +$(brew --prefix openssh)/bin/ssh-keygen -f ./ssh_server/residentkeys/id_ed25519-sk -t ed25519-sk -O application=ssh:personal -O no-touch-required -O resident + + + +$(brew --prefix openssh)/bin/ssh-add -K + +$(brew --prefix openssh)/bin/ssh -f ./ssh_server/residentkeys/id_ed25519-sk -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 +``` + +## Resources + +* https://dev.to/tw3n/using-yubikey-resident-keys-for-git-and-ssh-on-macos-48j7 +* https://stackoverflow.com/questions/68573454/having-difficulty-to-get-ssh-with-a-yubikey-working-with-macos-monterey \ No newline at end of file diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md new file mode 100644 index 0000000..dc92f5e --- /dev/null +++ b/19_yubi/SSH_CERTIFICATES.md @@ -0,0 +1,81 @@ +# SSH CERTIFICATES + +NOTES: + +* We first generate a Certificate Authority +* "OpenSC is no longer required, since we now have a functional PKCS #11 module, namely ykcs11." [here](https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html) + +## Generate Certificates + +```sh +mkdir -p ./ssh_server/keys + +# -N means no passphrase +ssh-keygen -N '' -C user-ca -f ./ssh_server/keys/ca +sed 's/^/cert-authority /' ./ssh_server/keys/ca.pub > ./ssh_server/keys/authorized_keys + +# generate a key +yubico-piv-tool -a generate -s 9c -A RSA2048 --pin-policy=never --touch-policy=always -o ./ssh_server/keys/public.pem + +# when doing this you have to touch the key +yubico-piv-tool -a selfsign-certificate -s 9c -S "/CN=SSH key/" -i ./ssh_server/keys/public.pem -o ./ssh_server/keys/cert.pem + +yubico-piv-tool -a import-certificate -s 9c -i ./ssh_server/keys/cert.pem + +#https://github.com/OpenSC/OpenSC/wiki/macOS-Quick-Start +opensc-tool --name +# the key needs pressing on 2nd PIN entry +pkcs11-tool --login --test +``` + +## Test + +Start the SSH server. + +```sh +docker compose up -d --build --force-recreate +``` + + +```sh +export PATH=$(brew --prefix openssh)/bin:$PATH +ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e + +ssh -vvvv -o StrictHostKeyChecking=no -I $(realpath /usr/local/lib/libykcs11.dylib) -p 2823 root@0.0.0.0 + +# THIS DOES NOT WORK +ssh-add -s $(realpath /usr/local/lib/libykcs11.dylib) +ssh-add -L +``` + +### 🧼 Cleanup + +```sh +# bring it down and delete the volume +docker compose down +``` + +### Debugging and troubleshooting + +```sh +docker compose exec -it sshserver /bin/bash + +# start ssh +rsyslogd +service ssh start +nano /etc/ssh/sshd_config +service ssh restart + +passwd +cat /root/.ssh/authorized_keys +cat /var/log/auth.log + +#PasswordAuthentication yes +#PermitEmptyPasswords yes +#PermitRootLogin without-password +``` + +## Resources + +* https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html +* https://ultrabug.fr/en/Tech%20Blog/2017/2017-05-12-hardening-ssh-authentication-using-yubikey-22/ diff --git a/19_yubi/docker-compose.yaml b/19_yubi/docker-compose.yaml index 4ba0ec2..e901d06 100644 --- a/19_yubi/docker-compose.yaml +++ b/19_yubi/docker-compose.yaml @@ -14,7 +14,16 @@ services: networks: app_private_network: ipv4_address: 172.16.238.3 - + + yubissh: + build: + context: ./ssh_server + dockerfile: ./Dockerfile.yubissh + ports: + - 2823:22 + networks: + app_private_network: + ipv4_address: 172.16.238.4 networks: app_private_network: ipam: diff --git a/19_yubi/ssh_server/.gitignore b/19_yubi/ssh_server/.gitignore index 0bdfd49..0d7cb1a 100644 --- a/19_yubi/ssh_server/.gitignore +++ b/19_yubi/ssh_server/.gitignore @@ -1 +1,2 @@ keys +residentkeys \ No newline at end of file diff --git a/19_yubi/ssh_server/Dockerfile.yubissh b/19_yubi/ssh_server/Dockerfile.yubissh new file mode 100644 index 0000000..ebab294 --- /dev/null +++ b/19_yubi/ssh_server/Dockerfile.yubissh @@ -0,0 +1,67 @@ +# syntax=docker/dockerfile:1.4 +FROM ubuntu:20.04 + +RUN apt-get update && apt-get install --no-install-recommends \ + rsyslog \ + openssh-server \ + nano \ + curl \ + lsof \ + iproute2 nmap \ + iputils-ping -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /scratch + +# NOTE: Escape the \$ otherwise they are rendered at buildtime +COPY --chmod=755 < /root/.ssh/authorized_keys +#cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys +EOF + +RUN /bin/preparekeys.sh + +RUN chown -R root /root/.ssh/authorized_keys +RUN chmod 644 /root/.ssh/authorized_keys + +CMD [ "/bin/bash", "-c", "/bin/hold.sh" ] \ No newline at end of file From b6318b556321d6b089142d3e9bdc1101d741a873 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 31 Mar 2024 20:53:59 +0100 Subject: [PATCH 04/15] feat(yubi): :memo: Yubikey now working with docker hosted ssh on mac --- 19_yubi/README.md | 9 ++---- 19_yubi/SSH_CERTIFICATES.md | 32 +++++++++++++------ ...e.yaml => docker-compose.ca.yubi.ssh.yaml} | 11 +------ 19_yubi/docker-compose.ssh.yaml | 25 +++++++++++++++ 19_yubi/ssh_server/.gitignore | 1 + ...kerfile.yubissh => Dockerfile.ca.yubi.ssh} | 10 +++--- .../{Dockerfile.server => Dockerfile.ssh} | 0 7 files changed, 56 insertions(+), 32 deletions(-) rename 19_yubi/{docker-compose.yaml => docker-compose.ca.yubi.ssh.yaml} (63%) create mode 100644 19_yubi/docker-compose.ssh.yaml rename 19_yubi/ssh_server/{Dockerfile.yubissh => Dockerfile.ca.yubi.ssh} (80%) rename 19_yubi/ssh_server/{Dockerfile.server => Dockerfile.ssh} (100%) diff --git a/19_yubi/README.md b/19_yubi/README.md index 0000e22..e2221f2 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -19,11 +19,9 @@ TODO: - Create an SSH server in docker and use ssh key on yubikey - Check out the attestation. - Using kms as a root key -- titan keys? -https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB +- titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB - https://github.com/ixydo/gpg-smartcard-automation -Yubikey provisioning -https://github.com/santiago-mooser/yubikey-provisioning-scripts +- Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts ## Tools @@ -115,10 +113,10 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi ## Resources +- https://zach.codes/ultimate-yubikey-setup-guide/ - YubiKey Manager - Cross-platform application for configuring any YubiKey over all USB interfaces. [here](https://www.yubico.com/support/download) - https://developers.yubico.com/ - https://fidoalliance.org/fido2/ -- https://zach.codes/ultimate-yubikey-setup-guide/ - Yubico OTPs Explained [here](https://developers.yubico.com/OTP/OTPs_Explained.html) * Yubikey Certificate Attestation Improved [here](https://www.securew2.com/blog/yubikey-certificate-attestation/) * https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html @@ -126,4 +124,3 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi * Do I need a master key to get SSH PIV working? https://developers.yubico.com/PGP/ * https://ruimarinho.gitbooks.io/yubikey-handbook/content/ * https://github.com/jamesog/yubikey-ssh - diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md index dc92f5e..7aa2f4e 100644 --- a/19_yubi/SSH_CERTIFICATES.md +++ b/19_yubi/SSH_CERTIFICATES.md @@ -8,11 +8,13 @@ NOTES: ## Generate Certificates ```sh +mkdir -p ./ssh_server/ca-keys mkdir -p ./ssh_server/keys # -N means no passphrase -ssh-keygen -N '' -C user-ca -f ./ssh_server/keys/ca -sed 's/^/cert-authority /' ./ssh_server/keys/ca.pub > ./ssh_server/keys/authorized_keys +# -C means comment +ssh-keygen -N '' -C user-ca -f ./ssh_server/ca-keys/ca +sed 's/^/cert-authority /' ./ssh_server/ca-keys/ca.pub > ./ssh_server/ca-keys/authorized_keys # generate a key yubico-piv-tool -a generate -s 9c -A RSA2048 --pin-policy=never --touch-policy=always -o ./ssh_server/keys/public.pem @@ -25,40 +27,49 @@ yubico-piv-tool -a import-certificate -s 9c -i ./ssh_server/keys/cert.pem #https://github.com/OpenSC/OpenSC/wiki/macOS-Quick-Start opensc-tool --name # the key needs pressing on 2nd PIN entry -pkcs11-tool --login --test +pkcs11-tool --login --test ``` ## Test -Start the SSH server. +YubiKey thumbprint ```sh -docker compose up -d --build --force-recreate +export PATH=$(brew --prefix openssh)/bin:$PATH + +# copy thumbprint +ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e | grep Signature > ./ssh_server/keys/yubi_authorized_keys ``` +Start the SSH server. ```sh -export PATH=$(brew --prefix openssh)/bin:$PATH -ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e +docker compose -f ./docker-compose.ca.yubi.ssh.yaml up -d --build --force-recreate +``` + +Login with YubiKey -ssh -vvvv -o StrictHostKeyChecking=no -I $(realpath /usr/local/lib/libykcs11.dylib) -p 2823 root@0.0.0.0 +```sh +ssh -vvvv -o StrictHostKeyChecking=no -I $(realpath /usr/local/lib/libykcs11.dylib) -p 2822 root@0.0.0.0 # THIS DOES NOT WORK ssh-add -s $(realpath /usr/local/lib/libykcs11.dylib) ssh-add -L ``` + + ### 🧼 Cleanup ```sh # bring it down and delete the volume -docker compose down +docker compose -f ./docker-compose.ca.yubi.ssh.yaml down ``` ### Debugging and troubleshooting ```sh -docker compose exec -it sshserver /bin/bash +docker compose -f ./docker-compose.ca.yubi.ssh.yaml exec -it sshserver /bin/bash # start ssh rsyslogd @@ -70,6 +81,7 @@ passwd cat /root/.ssh/authorized_keys cat /var/log/auth.log +nano /root/.ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords yes #PermitRootLogin without-password diff --git a/19_yubi/docker-compose.yaml b/19_yubi/docker-compose.ca.yubi.ssh.yaml similarity index 63% rename from 19_yubi/docker-compose.yaml rename to 19_yubi/docker-compose.ca.yubi.ssh.yaml index e901d06..c237a64 100644 --- a/19_yubi/docker-compose.yaml +++ b/19_yubi/docker-compose.ca.yubi.ssh.yaml @@ -8,22 +8,13 @@ services: sshserver: build: context: ./ssh_server - dockerfile: ./Dockerfile.server + dockerfile: ./Dockerfile.ca.yubi.ssh ports: - 2822:22 networks: app_private_network: ipv4_address: 172.16.238.3 - yubissh: - build: - context: ./ssh_server - dockerfile: ./Dockerfile.yubissh - ports: - - 2823:22 - networks: - app_private_network: - ipv4_address: 172.16.238.4 networks: app_private_network: ipam: diff --git a/19_yubi/docker-compose.ssh.yaml b/19_yubi/docker-compose.ssh.yaml new file mode 100644 index 0000000..33abf19 --- /dev/null +++ b/19_yubi/docker-compose.ssh.yaml @@ -0,0 +1,25 @@ +services: + internalnginx: + image: nginx:1.21.1 + networks: + app_private_network: + ipv4_address: 172.16.238.64 + + sshserver: + build: + context: ./ssh_server + dockerfile: ./Dockerfile.ssh + ports: + - 2822:22 + networks: + app_private_network: + ipv4_address: 172.16.238.3 + +networks: + app_private_network: + ipam: + driver: default + config: + - subnet: "172.16.238.0/24" + + diff --git a/19_yubi/ssh_server/.gitignore b/19_yubi/ssh_server/.gitignore index 0d7cb1a..c918da2 100644 --- a/19_yubi/ssh_server/.gitignore +++ b/19_yubi/ssh_server/.gitignore @@ -1,2 +1,3 @@ +ca-keys keys residentkeys \ No newline at end of file diff --git a/19_yubi/ssh_server/Dockerfile.yubissh b/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh similarity index 80% rename from 19_yubi/ssh_server/Dockerfile.yubissh rename to 19_yubi/ssh_server/Dockerfile.ca.yubi.ssh index ebab294..2dbec93 100644 --- a/19_yubi/ssh_server/Dockerfile.yubissh +++ b/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh @@ -48,15 +48,13 @@ echo "Start sleep infinity" sleep infinity EOF -#COPY keys/id_ed25519.pub /scratch/id_ed25519.pub -#COPY keys/id_rsa.pub /scratch/id_rsa.pub -COPY keys/authorized_keys /scratch/authorized_keys +COPY ca-keys/ca.pub /scratch/ca.pub +COPY keys/yubi_authorized_keys /scratch/yubi_authorized_keys COPY --chmod=755 < /root/.ssh/authorized_keys -#cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys +#sed 's/^/cert-authority /' /scratch/ca.pub > /root/.ssh/authorized_keys +cat /scratch/yubi_authorized_keys > /root/.ssh/authorized_keys EOF RUN /bin/preparekeys.sh diff --git a/19_yubi/ssh_server/Dockerfile.server b/19_yubi/ssh_server/Dockerfile.ssh similarity index 100% rename from 19_yubi/ssh_server/Dockerfile.server rename to 19_yubi/ssh_server/Dockerfile.ssh From 1733bbf33427ee533ac4352e74de951690f5fb55 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 31 Mar 2024 21:18:02 +0100 Subject: [PATCH 05/15] docs(yubikey): :memo: Make the example use non yubikeys as well --- 19_yubi/PIV.md | 104 ---------------------- 19_yubi/README.md | 15 ++-- 19_yubi/SSH_CERTIFICATES.md | 56 +++++++++++- 19_yubi/docker-compose.ssh.yaml | 25 ------ 19_yubi/ssh_server/Dockerfile.ca.yubi.ssh | 2 + 19_yubi/ssh_server/Dockerfile.ssh | 65 -------------- 6 files changed, 62 insertions(+), 205 deletions(-) delete mode 100644 19_yubi/PIV.md delete mode 100644 19_yubi/docker-compose.ssh.yaml delete mode 100644 19_yubi/ssh_server/Dockerfile.ssh diff --git a/19_yubi/PIV.md b/19_yubi/PIV.md deleted file mode 100644 index 8a755d0..0000000 --- a/19_yubi/PIV.md +++ /dev/null @@ -1,104 +0,0 @@ -# PIV - -PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/) - -## Generate keys - -NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) - -Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) - -```sh -ykman piv --help - -# requires managmment key (not pin) -yubico-piv-tool -s 9a -a generate -k --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o ./ssh_server/keys/public.pem - -yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i ./ssh_server/keys/public.pem -o ./ssh_server/keys/cert.pem - -# not working -yubico-piv-tool -s 9a -a import-key -i ./ssh_server/keys/id_ed25519 -``` - -## SSH - -Ref: [08_SSH/README.md](../08_SSH/README.md) -Ref: [chrisguest75/docker_examples/39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) - -### Run example - -The `nginx` container is not available on the network. We use the `ssh` server to allow access. - -```sh -# OpenSSH_8.6p1, LibreSSL 3.3.6 -ssh -V - -# create keys -mkdir -p ./ssh_server/keys -ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 -ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa -``` - -Start the containers. - -```sh -# start server -docker compose up -d --build --force-recreate - -# quick test -docker compose logs internalnginx -docker compose logs sshserver -``` - -SSH to get access to `nginx`. - -```sh -# ssh onto server -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 -# once in ssh shell curl against the nginx container -curl 172.16.238.64:80 -``` - -### 🧼 Cleanup - -```sh -# bring it down and delete the volume -docker compose down -``` - -### Debugging and troubleshooting - -```sh -docker compose exec -it sshserver /bin/bash - -# start ssh -rsyslogd -service ssh start -nano /etc/ssh/sshd_config -service ssh restart - -passwd -cat /root/.ssh/authorized_keys -cat /var/log/auth.log - -#PasswordAuthentication yes -#PermitEmptyPasswords yes -#PermitRootLogin without-password - -# open connections -# Both work now - there was a time that only rsa seemed to work. -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 -ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 -``` - -## Resources - -* https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html -* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) -* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html) -* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent) -* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl) -* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) -* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) -* Yubico PIV Tool [here](https://developers.yubico.com/yubico-piv-tool/) -* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) diff --git a/19_yubi/README.md b/19_yubi/README.md index e2221f2..a94847f 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -113,14 +113,15 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi ## Resources -- https://zach.codes/ultimate-yubikey-setup-guide/ +- Ultimate Yubikey Setup Guide with ed25519! [here](https://zach.codes/ultimate-yubikey-setup-guide/) - YubiKey Manager - Cross-platform application for configuring any YubiKey over all USB interfaces. [here](https://www.yubico.com/support/download) -- https://developers.yubico.com/ -- https://fidoalliance.org/fido2/ +- Developer Program [here](https://developers.yubico.com/) +- FIDO Alliance [here](https://fidoalliance.org/fido2/) - Yubico OTPs Explained [here](https://developers.yubico.com/OTP/OTPs_Explained.html) * Yubikey Certificate Attestation Improved [here](https://www.securew2.com/blog/yubikey-certificate-attestation/) -* https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html -* https://github.com/santiago-mooser/yubikey-provisioning-scripts +* YubiKey SSH on MacOS [here](https://chewing-the-code.blogspot.com/2019/05/yubikey-ssh-onmacos.html) +* Yubikey provisioning scripts [here](https://github.com/santiago-mooser/yubikey-provisioning-scripts) * Do I need a master key to get SSH PIV working? https://developers.yubico.com/PGP/ -* https://ruimarinho.gitbooks.io/yubikey-handbook/content/ -* https://github.com/jamesog/yubikey-ssh +* Yubikey Handbook [here](https://ruimarinho.gitbooks.io/yubikey-handbook/content/) +* Yubikey as an SSH key [here](https://github.com/jamesog/yubikey-ssh) + diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md index 7aa2f4e..aa92977 100644 --- a/19_yubi/SSH_CERTIFICATES.md +++ b/19_yubi/SSH_CERTIFICATES.md @@ -1,13 +1,51 @@ # SSH CERTIFICATES +The `nginx` container is not available on the network. We use the `ssh` server to allow access. + +PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/) + +Ref: [08_SSH/README.md](../08_SSH/README.md) +Ref: [chrisguest75/docker_examples/39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md) + NOTES: * We first generate a Certificate Authority * "OpenSC is no longer required, since we now have a functional PKCS #11 module, namely ykcs11." [here](https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html) -## Generate Certificates +## Non-Apple SSL + +```sh +export PATH=$(brew --prefix openssh)/bin:$PATH +``` + +## Generate keys (non-yubi) + +```sh +# OpenSSH_8.6p1, LibreSSL 3.3.6 +ssh -V + +# create keys +mkdir -p ./ssh_server/keys +ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 +ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa + +cat ./ssh_server/keys/id_ed25519.pub > ./ssh_server/keys/nonyubi_authorized_keys +cat ./ssh_server/keys/id_rsa.pub >> ./ssh_server/keys/nonyubi_authorized_keys + + +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0 +ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0 +``` + +## Generate certificates + +NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html) + +Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) ```sh +ykman piv --help + mkdir -p ./ssh_server/ca-keys mkdir -p ./ssh_server/keys @@ -52,13 +90,14 @@ Login with YubiKey ```sh ssh -vvvv -o StrictHostKeyChecking=no -I $(realpath /usr/local/lib/libykcs11.dylib) -p 2822 root@0.0.0.0 +# once in ssh shell curl against the nginx container +curl 172.16.238.64:80 + # THIS DOES NOT WORK ssh-add -s $(realpath /usr/local/lib/libykcs11.dylib) ssh-add -L ``` - - ### 🧼 Cleanup ```sh @@ -89,5 +128,14 @@ nano /root/.ssh/authorized_keys ## Resources +* Using SSH User Certificates with PIV keys [here](https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html) +* Method 2 - SSH using Yubikey and PIV [here](https://ultrabug.fr/en/Tech%20Blog/2017/2017-05-12-hardening-ssh-authentication-using-yubikey-22/) * https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html -* https://ultrabug.fr/en/Tech%20Blog/2017/2017-05-12-hardening-ssh-authentication-using-yubikey-22/ +* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html) +* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html) +* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent) +* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl) +* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) +* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) +* Yubico PIV Tool [here](https://developers.yubico.com/yubico-piv-tool/) +* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) \ No newline at end of file diff --git a/19_yubi/docker-compose.ssh.yaml b/19_yubi/docker-compose.ssh.yaml deleted file mode 100644 index 33abf19..0000000 --- a/19_yubi/docker-compose.ssh.yaml +++ /dev/null @@ -1,25 +0,0 @@ -services: - internalnginx: - image: nginx:1.21.1 - networks: - app_private_network: - ipv4_address: 172.16.238.64 - - sshserver: - build: - context: ./ssh_server - dockerfile: ./Dockerfile.ssh - ports: - - 2822:22 - networks: - app_private_network: - ipv4_address: 172.16.238.3 - -networks: - app_private_network: - ipam: - driver: default - config: - - subnet: "172.16.238.0/24" - - diff --git a/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh b/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh index 2dbec93..91d3141 100644 --- a/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh +++ b/19_yubi/ssh_server/Dockerfile.ca.yubi.ssh @@ -50,11 +50,13 @@ EOF COPY ca-keys/ca.pub /scratch/ca.pub COPY keys/yubi_authorized_keys /scratch/yubi_authorized_keys +COPY keys/nonyubi_authorized_keys /scratch/nonyubi_authorized_keys COPY --chmod=755 < /root/.ssh/authorized_keys cat /scratch/yubi_authorized_keys > /root/.ssh/authorized_keys +cat /scratch/nonyubi_authorized_keys >> /root/.ssh/authorized_keys EOF RUN /bin/preparekeys.sh diff --git a/19_yubi/ssh_server/Dockerfile.ssh b/19_yubi/ssh_server/Dockerfile.ssh deleted file mode 100644 index 904480a..0000000 --- a/19_yubi/ssh_server/Dockerfile.ssh +++ /dev/null @@ -1,65 +0,0 @@ -# syntax=docker/dockerfile:1.4 -FROM ubuntu:20.04 - -RUN apt-get update && apt-get install --no-install-recommends \ - rsyslog \ - openssh-server \ - nano \ - curl \ - lsof \ - iproute2 nmap \ - iputils-ping -y \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /scratch - -# NOTE: Escape the \$ otherwise they are rendered at buildtime -COPY --chmod=755 < /root/.ssh/authorized_keys -cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys -EOF - -RUN /bin/preparekeys.sh - -RUN chown -R root /root/.ssh/authorized_keys -RUN chmod 644 /root/.ssh/authorized_keys - -CMD [ "/bin/bash", "-c", "/bin/hold.sh" ] \ No newline at end of file From 29d587068e2ca90ce5e3f4f3024cf5b045448888 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 31 Mar 2024 22:06:46 +0100 Subject: [PATCH 06/15] docs(yubi): :memo: Tidy up the documentation. --- 19_yubi/README.md | 10 ++++++++-- 19_yubi/RESIDENT_KEYS.md | 19 ++++++++++++------- 19_yubi/ssh_server/.gitignore | 2 +- 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/19_yubi/README.md b/19_yubi/README.md index a94847f..5c3e22c 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -16,7 +16,13 @@ TERMINOLOGY: TODO: -- Create an SSH server in docker and use ssh key on yubikey +- working on wsl +- git commit +- git signing +- associate to github +- signing a text file +- subkeys +- docker build attestation - Check out the attestation. - Using kms as a root key - titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB @@ -27,7 +33,7 @@ TODO: Details about the tools [here](https://developers.yubico.com/PIV/Tools.html) -* ykman - Configure your YubiKey via the command line. +* ykman - Configure your YubiKey via the command line (this is replacement for yubico-piv-tool). * yubico-piv-tool - Tool for managing Personal Identity Verification credentials on Yubikeys * gpg - OpenPGP encryption and signing tool * yubikey manager ui - [here](https://www.yubico.com/support/download/yubikey-manager/) diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 8a05434..76df550 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -4,24 +4,29 @@ NOTES: * Requires brews OpenSSL as Apple compile with --disable-security-key +TODO: + +* THIS IS NOT WORKING + ```sh # OpenSSH_8.6p1, LibreSSL 3.3.6 ssh -V -export PATH=$(brew --prefix openssh)/bin:$PATH - # openssh needs to be installed from brew ssh-keygen --help -$(brew --prefix openssh)/bin/ssh-keygen --help -mkdir -p ./ssh_server/residentkeys -$(brew --prefix openssh)/bin/ssh-keygen -f ./ssh_server/residentkeys/id_ed25519-sk -t ed25519-sk -O application=ssh:personal -O no-touch-required -O resident +export PATH=$(brew --prefix openssh)/bin:$PATH +ssh-keygen --help + +mkdir -p ./ssh_server/resident-keys +ssh-keygen -f ./ssh_server/resident-keys/id_ed25519-sk -t ed25519-sk -O application=ssh:personal -O no-touch-required -O resident +ssh-keygen -K -$(brew --prefix openssh)/bin/ssh-add -K +ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e -$(brew --prefix openssh)/bin/ssh -f ./ssh_server/residentkeys/id_ed25519-sk -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 +ssh -f ./ssh_server/residentkeys/id_ed25519-sk -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 ``` ## Resources diff --git a/19_yubi/ssh_server/.gitignore b/19_yubi/ssh_server/.gitignore index c918da2..c356a62 100644 --- a/19_yubi/ssh_server/.gitignore +++ b/19_yubi/ssh_server/.gitignore @@ -1,3 +1,3 @@ ca-keys keys -residentkeys \ No newline at end of file +resident-keys \ No newline at end of file From 2c5b7c63f9a72926dd9943b39de53dc3f53d2502 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Mon, 1 Apr 2024 22:43:18 +0100 Subject: [PATCH 07/15] feat(wsl): :memo: Now working on WSL via usbipd-win sharing. --- 19_yubi/SSH_CERTIFICATES.md | 10 +++++++--- 19_yubi/WSL.md | 24 ++++++++++++++++++++++++ 34_WSL/README.md | 13 +++++++++++++ 34_WSL/WSL_USB.md | 11 +++++++++++ 4 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 19_yubi/WSL.md diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md index aa92977..1785335 100644 --- a/19_yubi/SSH_CERTIFICATES.md +++ b/19_yubi/SSH_CERTIFICATES.md @@ -73,10 +73,14 @@ pkcs11-tool --login --test YubiKey thumbprint ```sh +mkdir -p ./ssh_server/keys export PATH=$(brew --prefix openssh)/bin:$PATH # copy thumbprint -ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e | grep Signature > ./ssh_server/keys/yubi_authorized_keys +LIBYKCS11_PATH=$(realpath /usr/local/lib/libykcs11.dylib) +LIBYKCS11_PATH=/home/linuxbrew/.linuxbrew/lib/libykcs11.so + +ssh-keygen -D ${LIBYKCS11_PATH} -e | grep Signature > ./ssh_server/keys/yubi_authorized_keys ``` Start the SSH server. @@ -88,13 +92,13 @@ docker compose -f ./docker-compose.ca.yubi.ssh.yaml up -d --build --force-recrea Login with YubiKey ```sh -ssh -vvvv -o StrictHostKeyChecking=no -I $(realpath /usr/local/lib/libykcs11.dylib) -p 2822 root@0.0.0.0 +ssh -vvvv -o StrictHostKeyChecking=no -I ${LIBYKCS11_PATH} -p 2822 root@0.0.0.0 # once in ssh shell curl against the nginx container curl 172.16.238.64:80 # THIS DOES NOT WORK -ssh-add -s $(realpath /usr/local/lib/libykcs11.dylib) +ssh-add -s ${LIBYKCS11_PATH} ssh-add -L ``` diff --git a/19_yubi/WSL.md b/19_yubi/WSL.md new file mode 100644 index 0000000..b9d308e --- /dev/null +++ b/19_yubi/WSL.md @@ -0,0 +1,24 @@ +# WSL + +Follow the attach and bind instructions for [34_WSL/WSL_USB.md](../34_WSL/WSL_USB.md) + + +## Share key + +```powershell +usbipd list +usbipd bind --busid 2-1 +usbipd attach --wsl --busid 2-1 +``` + +## Access key + +```sh +# install pcscd (smart card daemon) +sudo apt-get install pcscd +sudo service pcscd start + +ykman list +``` + +## Resources diff --git a/34_WSL/README.md b/34_WSL/README.md index b99d832..22428a0 100644 --- a/34_WSL/README.md +++ b/34_WSL/README.md @@ -7,7 +7,10 @@ NOTES: * It doesn't need HyperV, just Virtual machine platform required for WSL. * It runs one kernel for all WSL distros. * For speed your code should be copied into the vhdx. + * File IO is really impaired pulling data across the share + * This really matters with directories like node-modules. * WSLG is for graphics - it's possible to run GFX apps from linux in windows. +* When performing updates it seems to replace the kernel. TODO: @@ -42,6 +45,16 @@ dir "%LocalAppData%\packages\CanonicalGroupLimited.Ubuntu_79rhkp1fndgsc\localsta wslconfig /list ``` +## Upgrading + +Check releases [here](https://github.com/microsoft/WSL/releases) + +WARNING: This seems to replace the kernel. So if you're on a custom build it will replace it. + +```powershell +wsl --update +``` + ## Starting ```sh diff --git a/34_WSL/WSL_USB.md b/34_WSL/WSL_USB.md index 9b41c30..9b665be 100644 --- a/34_WSL/WSL_USB.md +++ b/34_WSL/WSL_USB.md @@ -43,6 +43,17 @@ sudo apt install v4l-utils sudo v4l2-ctl --list-devices ``` +## Detach + +```sh +# detach and unbind +usbipd detach -b 1-12 +usbipd unbind -b 1-12 + +# should be not-shared +usbipd list +``` + ## Resources * Connect USB devices [here](https://learn.microsoft.com/en-us/windows/wsl/connect-usb) From 93d1e942318fa895b926b63fb773de734639fcd9 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Mon, 1 Apr 2024 23:07:16 +0100 Subject: [PATCH 08/15] feat(yubigit): :sparkles: Start adding some instructions on how to use ssh keys with gitea server. --- 19_yubi/GIT_SSH.md | 23 ++++++++++++++++ 19_yubi/git-server/.gitignore | 1 + 19_yubi/git-server/README.md | 38 ++++++++++++++++++++++++++ 19_yubi/git-server/docker-compose.yaml | 23 ++++++++++++++++ 4 files changed, 85 insertions(+) create mode 100644 19_yubi/GIT_SSH.md create mode 100644 19_yubi/git-server/.gitignore create mode 100644 19_yubi/git-server/README.md create mode 100644 19_yubi/git-server/docker-compose.yaml diff --git a/19_yubi/GIT_SSH.md b/19_yubi/GIT_SSH.md new file mode 100644 index 0000000..d8c0f1a --- /dev/null +++ b/19_yubi/GIT_SSH.md @@ -0,0 +1,23 @@ +# GIT SSH + +Goto [](./git-server/README.md) and install a local server. + +TODO: + +* gitea rsa key has to be 3072 key length + +## User SSH key + +```sh +# copy thumbprint +LIBYKCS11_PATH=$(realpath /usr/local/lib/libykcs11.dylib) +LIBYKCS11_PATH=/home/linuxbrew/.linuxbrew/lib/libykcs11.so + +# copy the key to gitea +ssh-keygen -D ${LIBYKCS11_PATH} -e | grep Signature +``` + + +## Resources + +* SSH key cannot be verified due to 2047 lengt [here](https://github.com/go-gitea/gitea/issues/20249) diff --git a/19_yubi/git-server/.gitignore b/19_yubi/git-server/.gitignore new file mode 100644 index 0000000..e649936 --- /dev/null +++ b/19_yubi/git-server/.gitignore @@ -0,0 +1 @@ +gitea diff --git a/19_yubi/git-server/README.md b/19_yubi/git-server/README.md new file mode 100644 index 0000000..748ef7e --- /dev/null +++ b/19_yubi/git-server/README.md @@ -0,0 +1,38 @@ +# README + +Gitea is a git server. + +## Start + +```sh +cd 19_yubi/git-server + +docker compose up + +open http://localhost:3000/ +``` + +## Test + +* Create a new user (or set admin) +* Initialise a repo + +```sh +touch README.md +git init +git checkout -b main +git add README.md +git commit -m "first commit" +git remote add origin http://localhost:3000/gittest/anothertest.git +git push -u origin main +``` + +## Cleanup + +```sh +docker compose down +``` + +## Resources + +* Installation with Docker [here](https://docs.gitea.com/installation/install-with-docker) diff --git a/19_yubi/git-server/docker-compose.yaml b/19_yubi/git-server/docker-compose.yaml new file mode 100644 index 0000000..6c88e19 --- /dev/null +++ b/19_yubi/git-server/docker-compose.yaml @@ -0,0 +1,23 @@ +version: "3" + +networks: + gitea: + external: false + +services: + server: + image: gitea/gitea:1.21.7 + container_name: gitea + environment: + - USER_UID=1000 + - USER_GID=1000 + restart: always + networks: + - gitea + volumes: + - ./gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3000:3000" + - "222:22" From 71c8f77bc9f4e91e917366768014b91a9c36336a Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 7 Apr 2024 22:49:14 +0100 Subject: [PATCH 09/15] docs(yubi): :memo: More links and examples --- 19_yubi/README.md | 8 ++++++++ 19_yubi/RESIDENT_KEYS.md | 14 +++++++++++--- 19_yubi/SSH_CERTIFICATES.md | 11 ++++++++++- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/19_yubi/README.md b/19_yubi/README.md index 5c3e22c..e23decf 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -29,6 +29,10 @@ TODO: - https://github.com/ixydo/gpg-smartcard-automation - Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts +## Check genuine Yubikey + +Verify your Yubikey [here](https://www.yubico.com/genuine/) + ## Tools Details about the tools [here](https://developers.yubico.com/PIV/Tools.html) @@ -131,3 +135,7 @@ lsusb -v 2> /dev/null | grep -A4 -B 5 -i yubi * Yubikey Handbook [here](https://ruimarinho.gitbooks.io/yubikey-handbook/content/) * Yubikey as an SSH key [here](https://github.com/jamesog/yubikey-ssh) +### Guides + +* https://github.com/drduh/YubiKey-Guide +* https://github.com/santiago-mooser/yubikey-provisioning-scripts \ No newline at end of file diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 76df550..643076b 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -18,10 +18,13 @@ ssh-keygen --help export PATH=$(brew --prefix openssh)/bin:$PATH ssh-keygen --help +ykman piv access change-pin + mkdir -p ./ssh_server/resident-keys ssh-keygen -f ./ssh_server/resident-keys/id_ed25519-sk -t ed25519-sk -O application=ssh:personal -O no-touch-required -O resident - +# both not working correctly +ykman fido credentials list --pin 654321 ssh-keygen -K ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e @@ -31,5 +34,10 @@ ssh -f ./ssh_server/residentkeys/id_ed25519-sk -vvvv -o StrictHostKeyChecking=no ## Resources -* https://dev.to/tw3n/using-yubikey-resident-keys-for-git-and-ssh-on-macos-48j7 -* https://stackoverflow.com/questions/68573454/having-difficulty-to-get-ssh-with-a-yubikey-working-with-macos-monterey \ No newline at end of file +* Using YubiKey resident keys for Git and SSH on macOS [here](https://dev.to/tw3n/using-yubikey-resident-keys-for-git-and-ssh-on-macos-48j7) +* Having difficulty to get SSH with a Yubikey working with macOS monterey [here](https://stackoverflow.com/questions/68573454/having-difficulty-to-get-ssh-with-a-yubikey-working-with-macos-monterey) +https://ilanjoselevich.com/blog/using-ssh-resident-keys-with-a-yubikey-5/ +https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html +https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys +https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys#introduction +https://www.corbado.com/blog/passkeys-vs-2fa-security \ No newline at end of file diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md index 1785335..18d90da 100644 --- a/19_yubi/SSH_CERTIFICATES.md +++ b/19_yubi/SSH_CERTIFICATES.md @@ -57,6 +57,9 @@ sed 's/^/cert-authority /' ./ssh_server/ca-keys/ca.pub > ./ssh_server/ca-keys/au # generate a key yubico-piv-tool -a generate -s 9c -A RSA2048 --pin-policy=never --touch-policy=always -o ./ssh_server/keys/public.pem +# ERROR: ED25519 requires YubiKey 5.7 or later +ykman piv keys generate --management-key 010203040506070801020304050607080102030405060708 --pin 123456 --algorithm ED25519 --touch-policy ALWAYS --format PEM 9c - + # when doing this you have to touch the key yubico-piv-tool -a selfsign-certificate -s 9c -S "/CN=SSH key/" -i ./ssh_server/keys/public.pem -o ./ssh_server/keys/cert.pem @@ -73,6 +76,11 @@ pkcs11-tool --login --test YubiKey thumbprint ```sh +ykman piv keys info 9c +ykman piv keys export --pin 123456 9c - + + + mkdir -p ./ssh_server/keys export PATH=$(brew --prefix openssh)/bin:$PATH @@ -142,4 +150,5 @@ nano /root/.ssh/authorized_keys * OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki) * Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration) * Yubico PIV Tool [here](https://developers.yubico.com/yubico-piv-tool/) -* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) \ No newline at end of file +* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/) +* https://debugging.works/blog/yubikey-cheatsheet/ \ No newline at end of file From fc5dd75b9e0f19d1818ef9d861958c1d04dc2cbe Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Fri, 19 Apr 2024 20:48:27 +0100 Subject: [PATCH 10/15] feat(yubi): :sparkles: Resident keys working. Now to test it on multiple machines. --- 19_yubi/GLOSSARY.md | 35 ++++++++++++++++++++ 19_yubi/README.md | 26 ++++++--------- 19_yubi/RESIDENT_KEYS.md | 63 ++++++++++++++++++++++++++++-------- 19_yubi/SUBKEYS.md | 21 ------------ 19_yubi/TODO.md | 54 +++++++++++++++++++++++++++++++ 19_yubi/WSL.md | 7 ++-- 19_yubi/git-server/README.md | 21 ++++++++++-- 7 files changed, 170 insertions(+), 57 deletions(-) create mode 100644 19_yubi/GLOSSARY.md create mode 100644 19_yubi/TODO.md diff --git a/19_yubi/GLOSSARY.md b/19_yubi/GLOSSARY.md new file mode 100644 index 0000000..b2d82c0 --- /dev/null +++ b/19_yubi/GLOSSARY.md @@ -0,0 +1,35 @@ +# GLOSSARY + +## Terms + +- TOFU - Trust On First Use anti-pattern + +## Algorithms + +- DSA - Digital Signature Algorithm. It should not be used anymore. +- RSA - Rivest–Shamir–Adleman +- ECDSA - Elliptic Curve Digital Signature Algorithm +- ED25519 - Edwards-Curve Digital Signature Algorithm (EdDSA) +- ELG-E - ElGamal encryption system +- eccp256 - 256bit curve +- eccp384 - 384bit curve +- GPG - GNU Privacy Guard + +## File formats + +- ASN.1 - Abstract Syntax Notation One +- PEM - (Privacy Enhanced Mail”) "-----BEGIN CERTIFICATE-----" +- DER (Distinguished Encoding Rules) - Binary Format +- PKCS - Public-Key Cryptography Standards +- PKCS#8 Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2 +- PKCS#11 - Cryptographic Token Interface Standard - defines a platform-independent API to cryptographic tokens +- PKCS#12 - defines an archive file format for storing many cryptography objects as a single file. + +## Resources + +- PKCS List of Standards [here](https://en.wikipedia.org/wiki/PKCS) +- Edwards-Curve Digital Signature Algorithm (EdDSA) [here](https://datatracker.ietf.org/doc/html/rfc8032) +- Elliptic curve P-384 [here](https://www.johndcook.com/blog/2019/05/11/elliptic-curve-p-384/) +- ElGamal encryption [here](https://en.wikipedia.org/wiki/ElGamal_encryption) +- PEM, DER, CRT, and CER: X.509 Encodings and Conversions [here](https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/) +- PKCS#11: Cryptographic Token Interface Standard [here](https://www.cryptsoft.com/pkcs11doc/) \ No newline at end of file diff --git a/19_yubi/README.md b/19_yubi/README.md index e23decf..4fa13fa 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -12,22 +12,7 @@ TERMINOLOGY: - OTP - [One-time password](https://en.wikipedia.org/wiki/One-time_password) - PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/) - WebAuthn - [WebAuthn Introduction](https://developers.yubico.com/WebAuthn) -- PKCS - Public Key Cryptography Standards [PKCS#11](https://en.wikipedia.org/wiki/PKCS_11) - -TODO: - -- working on wsl -- git commit -- git signing -- associate to github -- signing a text file -- subkeys -- docker build attestation -- Check out the attestation. -- Using kms as a root key -- titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB -- https://github.com/ixydo/gpg-smartcard-automation -- Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts +- PKCS - Public Key Cryptography Standards [PKCS](https://en.wikipedia.org/wiki/PKCS) ## Check genuine Yubikey @@ -101,6 +86,10 @@ Technical details about the YubiKey PIV implementation can be found [here](https Change the pins PIN and PUK ```sh +# reset key +ykman piv reset +ykman fido reset + # generate random key key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key @@ -109,6 +98,11 @@ yubico-piv-tool -a set-mgm-key -n $key --key 01020304050607080102030405060708010 # pins yubico-piv-tool -a change-pin -P 123456 -N 123456 yubico-piv-tool -a change-puk -P 12345678 -N 12345678 + +# or new tool +ykman piv access change-pin --pin 123456 --new-pin 654321 +ykman piv access change-puk --pin 12345678 --new-pin 87654321 +ykman fido access change-pin --new-pin 654321 ``` ## Prereqs diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 643076b..4abf4c6 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -3,10 +3,10 @@ NOTES: * Requires brews OpenSSL as Apple compile with --disable-security-key +* Resident Keys are Passkeys +* Resident Keys are generated on the yubikey and therefore you will have a unique key per yubikey. -TODO: - -* THIS IS NOT WORKING +## Generate ```sh # OpenSSH_8.6p1, LibreSSL 3.3.6 @@ -18,26 +18,61 @@ ssh-keygen --help export PATH=$(brew --prefix openssh)/bin:$PATH ssh-keygen --help -ykman piv access change-pin +# clean out the key +ykman fido reset + +# pins +ykman fido access change-pin --new-pin 654321 mkdir -p ./ssh_server/resident-keys -ssh-keygen -f ./ssh_server/resident-keys/id_ed25519-sk -t ed25519-sk -O application=ssh:personal -O no-touch-required -O resident -# both not working correctly -ykman fido credentials list --pin 654321 +# no touch +ssh-keygen -f ./ssh_server/resident-keys/id_ed25519-sk-notouch -t ed25519-sk -O application=ssh:no-touch-personal -O no-touch-required -O resident + +# list keys +ykman fido credentials list --pin 654321 + +# download keys from fido into current directory ssh-keygen -K +``` + +## SSH + +```sh +ssh -i ./id_ed25519_sk_rk_no-touch-personal -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 +``` -ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e +## Gitea -ssh -f ./ssh_server/residentkeys/id_ed25519-sk -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 +Goto Gitea [git-server/README.md](./git-server/README.md) + +```sh +# connect to gitea server +ssh -i ./id_ed25519_sk_rk_no-touch-personal -p 222 git@localhost +``` + +## Troubleshooting + +It seems that if you're having trouble logging in then kill `ssh-agent` and try again. + +```sh +# +ssh-add -D + +ps -ax | grep ssh-agent +kill [id] ``` ## Resources * Using YubiKey resident keys for Git and SSH on macOS [here](https://dev.to/tw3n/using-yubikey-resident-keys-for-git-and-ssh-on-macos-48j7) * Having difficulty to get SSH with a Yubikey working with macOS monterey [here](https://stackoverflow.com/questions/68573454/having-difficulty-to-get-ssh-with-a-yubikey-working-with-macos-monterey) -https://ilanjoselevich.com/blog/using-ssh-resident-keys-with-a-yubikey-5/ -https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html -https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys -https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys#introduction -https://www.corbado.com/blog/passkeys-vs-2fa-security \ No newline at end of file +* Using SSH Resident Keys With a YubiKey 5 [here](https://ilanjoselevich.com/blog/using-ssh-resident-keys-with-a-yubikey-5/) +* Discoverable Credentials / Resident Keys [here](https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html) +* WebAuthn Resident Key: Discoverable Credentials as Passkeys [here](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) +* Passkeys vs. 2FA: Why Passkeys are More Secure than Regular 2FA [here](https://www.corbado.com/blog/passkeys-vs-2fa-security) +* Yubico’s Take on U2F Key Wrapping [here](https://www.yubico.com/blog/yubicos-u2f-key-wrapping/) + +* Use same ed25519-sk key with two different Yubikeys [here](https://www.reddit.com/r/yubikey/comments/pkey1j/use_same_ed25519sk_key_with_two_different_yubikeys/) +* Gitlab: Show how to configure git for key [here](https://docs.gitlab.com/ee/user/ssh.html) +* Show HN: Yubikey-agent – an easy to use Go ssh-agent for YubiKeys [here](https://news.ycombinator.com/item?id=23131979) diff --git a/19_yubi/SUBKEYS.md b/19_yubi/SUBKEYS.md index e5676c1..2a29082 100644 --- a/19_yubi/SUBKEYS.md +++ b/19_yubi/SUBKEYS.md @@ -7,22 +7,6 @@ TODO: https://github.com/drduh/YubiKey-Guide#sub-keys -## Taxonomy - -- DSA - Digital Signature Algorithm. It should not be used anymore. -- RSA - Rivest–Shamir–Adleman -- ECDSA - Elliptic Curve Digital Signature Algorithm -- ED25519 - Edwards-Curve Digital Signature Algorithm (EdDSA) -- ELG-E - ElGamal encryption system -- eccp256 - 256bit curve -- eccp384 - 384bit curve -- PEM - (Privacy Enhanced Mail”) "-----BEGIN CERTIFICATE-----" -- DER (Distinguished Encoding Rules) - Binary Format -- PKCS - Public-Key Cryptography Standards -- PKCS#11 - Cryptographic Token Interface Standard - defines a platform-independent API to cryptographic tokens -- PKCS#12 - defines an archive file format for storing many cryptography objects as a single file. -- GPG - GNU Privacy Guard -- TOFU - Trust On First Use anti-pattern ## Generate @@ -109,8 +93,3 @@ https://wiki.debian.org/Subkeys https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ -- Edwards-Curve Digital Signature Algorithm (EdDSA) [here](https://datatracker.ietf.org/doc/html/rfc8032) -- Elliptic curve P-384 [here](https://www.johndcook.com/blog/2019/05/11/elliptic-curve-p-384/) -- ElGamal encryption [here](https://en.wikipedia.org/wiki/ElGamal_encryption) -- PEM, DER, CRT, and CER: X.509 Encodings and Conversions [here](https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/) -- PKCS#11: Cryptographic Token Interface Standard [here](https://www.cryptsoft.com/pkcs11doc/) diff --git a/19_yubi/TODO.md b/19_yubi/TODO.md new file mode 100644 index 0000000..44778c6 --- /dev/null +++ b/19_yubi/TODO.md @@ -0,0 +1,54 @@ +TODO: + + + + +openssl asn1parse -in ./ssh_server/keys/id_rsa +openssl asn1parse -in ./ssh_server/keys/id_ed25519 +openssl asn1parse -in ./ssh_server/resident-keys/id_ed25519-sk + + +ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e + + + + +* Generate an SSH certificate +* Upload a RSA4096 key onto yubikey +* Upload a ED25519 key onto yubikey + + + + +- working on wsl +- git commit +- git signing +- associate to github +- signing a text file +- subkeys +- docker build attestation +- Check out the attestation. +- Using kms as a root key +- titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB +- https://github.com/ixydo/gpg-smartcard-automation +- Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts + +* How to Store an SSH Key on a Yubikey https://news.ycombinator.com/item?id=31556130 + +Add support for security key/FIDO2-based ssh keys https://gitlab.com/gitlab-org/gitlab/-/issues/213259 + +Security keys are now supported for SSH Git operations https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/ + + +ECDSA: The digital signature algorithm of a better internet https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet + + +How secure is ed25519 compared to ecdsa or rsa for ssh keys? https://www.reddit.com/r/sysadmin/comments/hemawt/how_secure_is_ed25519_compared_to_ecdsa_or_rsa/ + + + +https://blog.fraggod.net/2015/09/04/parsing-openssh-ed25519-keys-for-fun-and-profit.html + + + + diff --git a/19_yubi/WSL.md b/19_yubi/WSL.md index b9d308e..8b476a6 100644 --- a/19_yubi/WSL.md +++ b/19_yubi/WSL.md @@ -2,8 +2,7 @@ Follow the attach and bind instructions for [34_WSL/WSL_USB.md](../34_WSL/WSL_USB.md) - -## Share key +## Share key into WSL ```powershell usbipd list @@ -11,7 +10,7 @@ usbipd bind --busid 2-1 usbipd attach --wsl --busid 2-1 ``` -## Access key +## Access key ```sh # install pcscd (smart card daemon) @@ -22,3 +21,5 @@ ykman list ``` ## Resources + +* Windows software for sharing locally connected USB devices to other machines, including Hyper-V guests and WSL 2. [here](https://github.com/dorssel/usbipd-win) diff --git a/19_yubi/git-server/README.md b/19_yubi/git-server/README.md index 748ef7e..9cc159a 100644 --- a/19_yubi/git-server/README.md +++ b/19_yubi/git-server/README.md @@ -2,6 +2,10 @@ Gitea is a git server. +NOTE: + +* It does not handle RSA ssh keys less than 3072Kb. + ## Start ```sh @@ -14,16 +18,27 @@ open http://localhost:3000/ ## Test -* Create a new user (or set admin) -* Initialise a repo +* Create a new user (or set admin) `chrisguest` +* Initialise a repo "gitea_testing" +* Add an ssh key for the user. ```sh +# outside of a git tree +mkdir gitea_testing + touch README.md git init git checkout -b main git add README.md git commit -m "first commit" -git remote add origin http://localhost:3000/gittest/anothertest.git + +git remote add origin http://localhost:3000/chrisguest/gitea_testing.git +git remote remove origin +git remote add origin git@localhost:222:chrisguest/gitea_testing.git + +# quick test connect - it will print out identity and disconnect. +ssh -p 222 git@localhost + git push -u origin main ``` From dfd9b55d2cc68e972d05aa956aa9ecd22de51b35 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Fri, 19 Apr 2024 21:30:14 +0100 Subject: [PATCH 11/15] feat(yubikeys): :sparkles: Add the ssh override for git --- 19_yubi/RESIDENT_KEYS.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 4abf4c6..3c9e750 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -51,6 +51,14 @@ Goto Gitea [git-server/README.md](./git-server/README.md) ssh -i ./id_ed25519_sk_rk_no-touch-personal -p 222 git@localhost ``` +## Github + +```sh +# override the ssh command to use the yubi resident key +export GIT_SSH_COMMAND="ssh -i $(pwd)/ssh_server/resident-keys/id_ed25519_sk_rk_no-touch-personal" +git remote show origin +``` + ## Troubleshooting It seems that if you're having trouble logging in then kill `ssh-agent` and try again. From 456117c10cd7b3a384d8fc1e006341356fcda089 Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sat, 20 Apr 2024 20:10:02 +0100 Subject: [PATCH 12/15] feat(passkeys): :sparkles: Add information about passkeys on yubikey --- 19_yubi/GIT_SSH.md | 2 +- 19_yubi/PASSKEYS.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 19_yubi/PASSKEYS.md diff --git a/19_yubi/GIT_SSH.md b/19_yubi/GIT_SSH.md index d8c0f1a..2d3e1c8 100644 --- a/19_yubi/GIT_SSH.md +++ b/19_yubi/GIT_SSH.md @@ -1,6 +1,6 @@ # GIT SSH -Goto [](./git-server/README.md) and install a local server. +Goto [git-server/README.md](./git-server/README.md) and install a local server. TODO: diff --git a/19_yubi/PASSKEYS.md b/19_yubi/PASSKEYS.md new file mode 100644 index 0000000..1ec1553 --- /dev/null +++ b/19_yubi/PASSKEYS.md @@ -0,0 +1,43 @@ +# PASSKEYS + +Passkeys are more secure as passwords do not get sent to external services. + +NOTES: + +* They are hard to phish as you still need access to the physical key +* No passwords leave the device. The pin is only using to unlock the private key. +* You shold really register multiple passkeys. +* They are not only yubikeys; iOS, Android, 1Password, etc all have versions. + +## Process + +* Add key to account +* Login +* Type in your pin when challenged +* Press the yubikey + +## Github + +You can register a security key and promote it to a passkey. + +This gets added as a FIDO resident key and takes a slot. + +```sh +nix-shell -p yubikey-manager + +# list keys +ykman fido credentials list --pin 654321 +``` + +## Tested (on github.com) + +* NixOS with Firefox (gnome browser did not support them) +* MacOS with Chrome +* Android with Chrome +* iOS with Safari + +## Resources + +* https://www.passkeys.io/ +* https://passkeys.dev/ +* https://github.com/passwordless-id/webauthn?tab=readme-ov-file \ No newline at end of file From b46b8dba18657391367fd50f4c86122f5a75fc4f Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sat, 20 Apr 2024 23:12:27 +0100 Subject: [PATCH 13/15] docs(wsl): :memo: WSL resident keys are not working yet. --- 19_yubi/RESIDENT_KEYS.md | 6 ++++++ 19_yubi/WSL.md | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 3c9e750..647040a 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -1,5 +1,11 @@ # RESIDENT KEYS +Resident keys always stay on the security key. The keys that are generated and stored locally are proxies to the private key. + +TODO: + +* YubiKey resident SSH keys on Windows+WSL [here](https://zakaria.org/posts/resident-ssh-keys-on-windows.html) + NOTES: * Requires brews OpenSSL as Apple compile with --disable-security-key diff --git a/19_yubi/WSL.md b/19_yubi/WSL.md index 8b476a6..f769290 100644 --- a/19_yubi/WSL.md +++ b/19_yubi/WSL.md @@ -2,11 +2,22 @@ Follow the attach and bind instructions for [34_WSL/WSL_USB.md](../34_WSL/WSL_USB.md) +NOTES: + +* You can use the windows cli tool (but you have to have entered the WSL from a powershell admin prompt) + +## Tools + +Choco does not seem to have latest yubikey-manager goto [github] (https://github.com/Yubico/yubikey-manager/releases/tag/5.4.0) instead. + ## Share key into WSL ```powershell +# find usbipd list +# share usbipd bind --busid 2-1 +# attach usbipd attach --wsl --busid 2-1 ``` @@ -16,10 +27,44 @@ usbipd attach --wsl --busid 2-1 # install pcscd (smart card daemon) sudo apt-get install pcscd sudo service pcscd start +sudo service pcscd restart + +# show usb devices +lsusb +# will show a key ykman list + +# NOT WORKING +ykman fido info ``` +## Detach + +```sh +# detach and unbind +usbipd detach -b 2-1 +usbipd unbind -b 2-1 + +# should be not-shared +usbipd list +``` + +## Troubleshooting + +```sh +ykman info +ykman --diagnose + +ykman fido info + +# use windows cli app (you have to have detached the usb device though and enter wsl from powershell admin prompt) +/mnt/c/Program\ Files/Yubico/YubiKey\ Manager\ CLI/ykman.exe fido credentials list +``` + + ## Resources * Windows software for sharing locally connected USB devices to other machines, including Hyper-V guests and WSL 2. [here](https://github.com/dorssel/usbipd-win) +* https://github.com/Yubico/yubikey-manager/issues/558 +* https://superuser.com/questions/1708979/why-yubikey-usb-key-needs-administrator-rights-or-any-other-device \ No newline at end of file From 529b7d2d4b003dbf790f39849b2e5f751132cfae Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 21 Apr 2024 16:03:41 +0100 Subject: [PATCH 14/15] docs(todo): :memo: Update todo --- 19_yubi/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/19_yubi/README.md b/19_yubi/README.md index 4fa13fa..d4588b1 100644 --- a/19_yubi/README.md +++ b/19_yubi/README.md @@ -2,6 +2,14 @@ Demonstrate how to use `yubikey`. +TODO: + +* wsl test - WSL is broken when sharing key. +* cleanup the PR +* Do I need to change the mgm key to increase entropy of private keys? +* Change the pin with keys on there? + + ## Reason Yubikey offers a lot of support for different auth protocols and certificates. From 3ed2c28910e1001fdda2ebc75566e03413c6a97d Mon Sep 17 00:00:00 2001 From: Chris Guest Date: Sun, 21 Apr 2024 23:09:20 +0100 Subject: [PATCH 15/15] fix(yubi): :memo: Fix the yubikey docs --- 19_yubi/RESIDENT_KEYS.md | 4 ++++ 19_yubi/WSL.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/19_yubi/RESIDENT_KEYS.md b/19_yubi/RESIDENT_KEYS.md index 647040a..52a7ceb 100644 --- a/19_yubi/RESIDENT_KEYS.md +++ b/19_yubi/RESIDENT_KEYS.md @@ -45,6 +45,10 @@ ssh-keygen -K ## SSH ```sh +# start the SSH server. +docker compose -f ./docker-compose.ca.yubi.ssh.yaml up -d --build --force-recreate + +# login ssh -i ./id_ed25519_sk_rk_no-touch-personal -vvvv -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 2822 root@0.0.0.0 ``` diff --git a/19_yubi/WSL.md b/19_yubi/WSL.md index f769290..c4f665b 100644 --- a/19_yubi/WSL.md +++ b/19_yubi/WSL.md @@ -4,6 +4,7 @@ Follow the attach and bind instructions for [34_WSL/WSL_USB.md](../34_WSL/WSL_US NOTES: +* RESIDENT KEYS ARE NOT WORKING CORRECTLY YET!! * You can use the windows cli tool (but you have to have entered the WSL from a powershell admin prompt) ## Tools @@ -62,7 +63,6 @@ ykman fido info /mnt/c/Program\ Files/Yubico/YubiKey\ Manager\ CLI/ykman.exe fido credentials list ``` - ## Resources * Windows software for sharing locally connected USB devices to other machines, including Hyper-V guests and WSL 2. [here](https://github.com/dorssel/usbipd-win)