Skip to content

Instantly share code, notes, and snippets.

@baughj

baughj/provision-yubikey.sh

Created March 16, 2021 17:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save baughj/eb9b03d5d18431fd28be793a23053432 to your computer and use it in GitHub Desktop.
Save baughj/eb9b03d5d18431fd28be793a23053432 to your computer and use it in GitHub Desktop.
Download ZIP
yubikey provisioner script
Raw
provision-yubikey.sh
#!/bin/bash
set -e
if [ $# -ne 3 ]
then
echo "Usage: $0 <OSX username> <ssh principals> <expiration>"
echo "Example: $0 baughj justin.baugh,baughj 1825"
echo ""
echo "Warning: It's a good idea to have at least two yubikeys for token auth,"
echo " and they should NOT have the same cert expiration dates."
exit
fi
if [ -z $(which ykman) ]; then
echo "You need to install ykman. On OSX: brew install ykman"
exit
fi
CERT_SUBJECT="C=US,O=ERISCO\, LLC,OU=PIV Certificates"
read -p "Connect USB Armory, and when double blinking, hit enter to continue"
YUBISERIAL=$(ykman info | grep Serial | awk '{ print $3 }')
if [ -z ${YUBISERIAL} ]; then
echo "Is yubikey connected? Couldn't get its serial number"
fi
# Get our USB armory functions
source ~/.includes/citadel.bash
citadel_unlock
# Make filenames easier
NINEA="${1}-${YUBISERIAL}-9A"
NINEC="${1}-${YUBISERIAL}-9C"
NINED="${1}-${YUBISERIAL}-9D"
SSH_CERT_SERIAL="$(date +%Y%m%d)${YUBISERIAL}"
# Generate two RSA certificates in 9a/9d for standard auth
echo "Generating 9a (authentication) key. You'll be prompted for PIN."
ykman piv keys generate --pin-policy default --touch-policy default 9a - > ${NINEA}Pubkey.pem
echo "Generating 9d (key management) key. You'll be prompted for PIN."
ykman piv keys generate --pin-policy default --touch-policy default 9d - > ${NINED}Pubkey.pem
# Generate ECDSA key in slot 9c which will be used for ssh
echo "Generating 9c (digital signature / ssh) key. You'll be prompted for PIN."
ykman piv keys generate -a eccp384 --pin-policy once --touch-policy cached 9c - >${NINEC}Pubkey.pem
# Generate CSRs for 9a/9d (we don't need X509 for ssh or for use with yubikey-agent)
NINEA_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9a,CN=${1}"
NINEC_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9c,CN=${1}"
echo "Generating 9a CSR: ${NINEA_SUBJ}"
ykman piv certificates request \
-s "${NINEA_SUBJ}" 9a ${NINEA}Pubkey.pem ${NINEA}Req.pem
echo "Generating 9c CSR: ${NINEC_SUBJ}"
ykman piv certificates request \
-s "${NINEC_SUBJ}" 9d ${NINED}Pubkey.pem ${NINED}Req.pem
# Get certificates signed (alternatively, don't be like me and use a
# self sign here)
citadel_sign ERISCOPIVCA ${NINEA} ${3} client
citadel_sign ERISCOPIVCA ${NINED} ${3} client
echo "Importing signed 9a certificate."
ykman piv certificates import 9a ${NINEA}Cert.pem
echo "Importing signed 9d certificate."
ykman piv certificates import 9d ${NINED}Cert.pem
# Get SSH pubkey from the yubikey that will be signed
ssh-keygen -D /usr/local/lib/libykcs11.dylib | grep ecdsa | awk '{print $1 " " $2}' > ${NINEC}.pub
if [ "$?" != 0 ]; then
echo "Error: couldn't retrieve ecdsa key from yubikey...?"
exit
fi
# TODO: make this part of citadel scripting
scp ${NINEC}.pub baughj@citadel:/srv/SSHCA/reqs/
ssh -t baughj@citadel "ssh-keygen -s user_ssh_ca -I $1 -n $2 -V +52w -z ${SSH_CERT_SERIAL} reqs/${NINEC}.pub && mv reqs/${NINEC}-cert.pub issued"
scp baughj@citadel:/srv/SSHCA/issued/${NINEC}-cert.pub .
echo "Done!"
echo "Note: place the resulting signed SSH pubkey in your .ssh directory exactly as id_ecdsa-cert.pub - or use CertificateFile in config"
echo "Don't forget to lock the armory and remove it."
echo ""
echo "To complete pairing with OSX for token auth, remove and reinsert the Yubikey."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment