Created
August 3, 2017 22:09
-
-
Save lrvick/9e9c4641fab07f0b8dde6419f968559f to your computer and use it in GitHub Desktop.
Provision SSH key into Yubikey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Script to automate the provisioning of a new SSH certificate onto a yubikey device. | |
set -e | |
set -u | |
set -o pipefail | |
for path in "/usr/lib64/opensc-pkcs11.so" \ | |
"/usr/lib/opensc-pkcs11.so" \ | |
"/usr/local/lib/opensc-pkcs11.so" \ | |
"/opt/local/lib/opensc-pkcs11.so" \ | |
"/usr/local/Cellar/opensc/*/lib/opensc-pkcs11.so" | |
do | |
if [[ -f $path ]] | |
then | |
OPENSC_LIBS="$(dirname $path)" | |
break | |
fi | |
done | |
echo "[+] Using ${OPENSC_LIBS} for PKCS11 smartcard support." | |
SLOT=${SLOT:-9a} | |
TDIR=$(mktemp -d) | |
# Attempt to detect yubico-piv-tool path falling back to the version embedded with the OS X application. | |
YPIV="$(which yubico-piv-tool || echo "/Applications/YubiKey PIV Manager.app/Contents/MacOS/yubico-piv-tool")" | |
trap 'rm -rf ${TDIR}' EXIT | |
mgmt_key=$(dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"') | |
# Allow overrides to the PIN | |
if [[ -z "$USER_PIN" ]] | |
then | |
USER_PIN=$(dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%02x"'| cut -c1-8) | |
fi | |
if [[ -z "${ADMIN_PIN}" ]] | |
then | |
ADMIN_PIN=$(dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%02x"'| cut -c1-8) | |
fi | |
echo "*** IMPORTANT - RECORD THESE VALUES ***" | |
echo "Management Key: ${mgmt_key} (used to provision the token)" | |
echo "User PIN: ${USER_PIN} (used to unlock your token)" | |
echo "Admin PIN: ${ADMIN_PIN} (used to recover from lost user pin)" | |
read -p "Press <ENTER> to continue." | |
# Force the old PINs to be blocked. | |
echo "[+] Lock the security token by using the wrong pin." | |
for _ in $(seq 0 5) | |
do | |
"$YPIV" -a verify-pin -P 000000 || true | |
"$YPIV" -a change-puk -P 000000 -N 000001 || true | |
done | |
"$YPIV" -a reset | |
# Configure PINs | |
"$YPIV" -a set-mgm-key -n "${mgmt_key}" | |
"$YPIV" -a change-pin -P 123456 -N "${USER_PIN}" | |
"$YPIV" -a change-puk -P 12345678 -N "${ADMIN_PIN}" | |
# Generate self-signed certificate; FIXME(gharris): later use the CA. | |
echo "[+] Generating new SSH certificate on the hardware token; this may take a moment." | |
"$YPIV" -a generate "--key=${mgmt_key}" -s "$SLOT" --touch-policy="always" --pin-policy="once" -o "${TDIR}/public.pem" | |
echo "[+] Self-signing generated certificate." | |
echo "[+]" | |
echo "[+] ***You will need to press the yubikey when it flashes to release the cryptographic operation results!***" | |
echo "[+]" | |
"$YPIV" -a verify-pin -P "${USER_PIN}" -a selfsign-certificate -s "$SLOT" -S '/CN=SSH key/' -i "${TDIR}/public.pem" -o "${TDIR}/cert.pem" | |
echo "[+] Loading the self-signed certificate onto the hardware token." | |
"$YPIV" -a import-certificate "--key=${mgmt_key}" -s "$SLOT" -i "${TDIR}/cert.pem" | |
# Dump the authorized-keys header for the user | |
echo "[+] Please use the following for your authorized_keys file: " | |
ssh-keygen -D "$OPENSC_LIBS/opensc-pkcs11.so" -e |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment