jameswhite/yubikey-pkcs11.txt Secret

## yubikey-pkcs11.txt
sudo mkdir -p /usr/local/yubico/yubico-piv-tool
(
  cd /usr/local/yubico/yubico-piv-tool;
  sudo wget https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-1.2.2-mac.zip
  sudo unzip yubico-piv-tool-1.2.2-mac.zip
)
( cd ~/bin/; ln -s /usr/local/yubico/yubico-piv-tool/bin/yubico-piv-tool )

# Prepare the key for use
# https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key
yubico-piv-tool -a set-mgm-key -n $key
The PIN and PUK should be changed as well.

pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
echo $pin
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk
yubico-piv-tool -a change-pin -P 123456 -N $pin
yubico-piv-tool -a change-puk -P 12345678 -N $puk


### prepare pkcs#11 support

brew install opensc

yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
                -S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem

# find /opt -name opensc-pkcs11.so
export OPENSC_LIBS="/opt/boxen/homebrew/lib"

ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUtuPR5CYgsFV27/Fk91DjT5sLSwRNblmCyn6vB19V2DVrIPLwgZmwhkENHS0J8N3fO411y5+B1wPewCpQecPXCdK7XDAJBU17dIn8ia1J+i8XYVv14WSvC5A7o+FyPPpfAU6Jnqm3VYPweuobrAg/DI0w95HDJfS0xfEehVkgI5AmA+1rERP/P/MllgBseUfOMzsZeI0xUIrMZyEwf4oX8nFV3QvpDYNDmiUSQgSo47DHfs414i3fUqGQF9Gqw9cpd/TqhigEe5KvYplv4SNze4AkgaBiV23FHB7flM4Q7HDnxLMz2Y+E0toLVDkP4+zTvJJ35eeJ4mB3CLVqPqgr

ssh -I $OPENSC_LIBS/opensc-pkcs11.so root@einstein

#### WAIT
https://rnorth.org/8/gpg-and-ssh-with-yubikey-for-mac
	sudo mkdir -p /usr/local/yubico/yubico-piv-tool
	(
	cd /usr/local/yubico/yubico-piv-tool;
	sudo wget https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-1.2.2-mac.zip
	sudo unzip yubico-piv-tool-1.2.2-mac.zip
	)
	( cd ~/bin/; ln -s /usr/local/yubico/yubico-piv-tool/bin/yubico-piv-tool )

	# Prepare the key for use
	# https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

	key=`dd if=/dev/random bs=1 count=24 2>/dev/null \| hexdump -v -e '/1 "%02X"'`
	echo $key
	yubico-piv-tool -a set-mgm-key -n $key
	The PIN and PUK should be changed as well.

	pin=`dd if=/dev/random bs=1 count=6 2>/dev/null \| hexdump -v -e '/1 "%u"'\|cut -c1-6`
	echo $pin
	puk=`dd if=/dev/random bs=1 count=6 2>/dev/null \| hexdump -v -e '/1 "%u"'\|cut -c1-8`
	echo $puk
	yubico-piv-tool -a change-pin -P 123456 -N $pin
	yubico-piv-tool -a change-puk -P 12345678 -N $puk



	### prepare pkcs#11 support

	brew install opensc

	yubico-piv-tool -s 9a -a generate -o public.pem
	yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
	-S "/CN=SSH key/" -i public.pem -o cert.pem
	yubico-piv-tool -a import-certificate -s 9a -i cert.pem

	# find /opt -name opensc-pkcs11.so
	export OPENSC_LIBS="/opt/boxen/homebrew/lib"

	ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUtuPR5CYgsFV27/Fk91DjT5sLSwRNblmCyn6vB19V2DVrIPLwgZmwhkENHS0J8N3fO411y5+B1wPewCpQecPXCdK7XDAJBU17dIn8ia1J+i8XYVv14WSvC5A7o+FyPPpfAU6Jnqm3VYPweuobrAg/DI0w95HDJfS0xfEehVkgI5AmA+1rERP/P/MllgBseUfOMzsZeI0xUIrMZyEwf4oX8nFV3QvpDYNDmiUSQgSo47DHfs414i3fUqGQF9Gqw9cpd/TqhigEe5KvYplv4SNze4AkgaBiV23FHB7flM4Q7HDnxLMz2Y+E0toLVDkP4+zTvJJ35eeJ4mB3CLVqPqgr

	ssh -I $OPENSC_LIBS/opensc-pkcs11.so root@einstein

	#### WAIT
	https://rnorth.org/8/gpg-and-ssh-with-yubikey-for-mac