SSH Start to Finish Architecture – GnuPG keys generated on the Yubikey 4

To get GnuPG gpg-agent to work on the Yubikey 4, we need to put the keys on the device.  We can either generate them off of the device, and then copy them up, or we can generate them directly on the device.  We will do both versions of this before we are through, but today is “generate directly on the device.”

As I was getting set up to work on this again this weekend, I gave this a try on the new Beaglebone Black Wireless, on a whim.  The last time I had tried this on the BBBW, it didn’t go so well.  There were library issues that prevented GnuPG from accessing the card correctly, and the whole thing was an exercise in frustration.  Then I “did the dumb” and managed to brick the device while working on a project.  I already wrote up the procedure I used to unbrick it, which worked fine.  Apparently something in the unbrick firmware is different from what I had before, because when I tried this “on a whim” I had no issues.

Here are the steps I used, and I’ll link the articles I followed myself at the bottom.

In order to use the Yubikey with GnuPG, we first need to generate the keys on the device, (or import them.)  Unfortunately, when I was following this, the largest key I could actually generate for all three sections was 3072 bits, not 4096, even though GnuPG supports 4096, and the specs for the Yubikey 4 state it can handle 4096 bit keys.  Still, 3072 is larger than the 2048 limit imposed by the PIV SmartCard standard.  I believe this may be because the GnuPG that is being used might be GPG not GPG2.  I’ll research version more in a later update.

The top section of this article is what I followed for this.

Of course, when I was finished, I found that the Debian Jessie image didn’t include gpg-agent.  I had to configure the wireless with connmanctl, turn off “wifi tether” because it was on by default in the unbrick firmware, and was preventing wifi scan from working, and then do an apt-get update to make things happy so I could apt-get install gnupg-agent.

Then I ran into the issue of actually loading gpg-agent.  I got assertion errors when trying to load gpgkey2ssh.  I double checked the card, and it was missing the “Encrypt” key, but had the “Sign” and “Authenticate” keys listed.  I tried re-generating and got an assert error during the generation.  Things went downhill from there.

After reading several posts, including seemingly ignored bug reports, regarding these assertions, I am beyond frustrated with this side of the SmartCard options.  I will of course continue to attempt to make this work, but at this time the only recommendation I can make is to use the PIV SmartCard solution when possible.  It was beyond painless.

While every document I can find from Yubico says that this can “generate the keys on the device,” everything I am reading about actually getting the public key off of it for SSH use seems to want to “fetch” (which pulls from one of the public servers such as used for the Web Of Trust.)  This makes me think that there is some pre-setup that needs to happen with GnuPG, first, so I will work on that (I have the book) before I make another attempt at this.  Also, I can’t seem to ssh back into the BBBW since my last attempt.  It may be unrelated, but I think another unbrick event is due, which will give me a clean slate to work from, anyway.

I just wanted to share what has been done thus far, what speed bumps have been encountered, and what questions those have garnered.  I’ve been banging on this all weekend, so I’ll leave it until another week.



Fun-Day Friday – Lab projects summary

I thought I’d just give a brief list of what the priorities are for the Lab in the next week or two.

First and foremost is finishing up the write-up on using GnuPG gpg-agent for ssh from a Yubikey 4 token.  I’ve just about got the details finished up, so this should be ready by Monday.

A Hak5 Bash Bunny has been ordered, and should arrive by Wednesday.  I’ll probably cover a different piece of equipment that day, since it won’t quite be in hand, yet, but the following Wednesday will likely cover this new gadget.

Not tech related, but I have a Permaculture consultation I’ve been approached about.  I’ll be working on the initial few very rough designs for the property.

This weekend is the local HAM Fest.  Unfortunately, I won’t be able to attend this time.  I was going to be in the market for a new radio OR a new APRS TNC, but those will have to wait since we recently had a minor hit to our budget getting everyone over being sick.

We’ll probably do another Family Game Night this weekend, assuming time permits, and people are feeling up for it.

That’s about it.  Whatever you do, I hope it has an element of fun and an element of learning.  Those are what keep life interesting.

The Lab – Gear Check – Of Bunnies and Yubikeys

At some point today, Hak5 is rumored to be releasing their newest gizmo.  This device is the Bash Bunny, and that’s about all I know about it, but I’m eagerly anticipating discovering what I can about it.  It’s some kind of USB based attack device.  Some have speculated that it’s a USB Rubber Ducky on steroids, and others have speculated it might be similar to a Raspberry Pi Zero with case and special hardware.  We’ll just have to check throughout the day and hope it’s something in the Lab Budget range.

Monday, I posted the broad overview of how the GnuPG gpg-agent based ssh set up on the Yubikey should probably somewhat go.  Tuesday, I had the opportunity to look at the other piece that caught my eye.  The “PIV SmartCard” functionality mentioned means downloading and compiling a single tool from Yubico called the yubikey-piv-tool.

I was actually able to install a couple of prerequisite packages, compile the tool, and use it to configure the PIV SmartCard authentication slot today, and testing worked like a charm.  My only beef with this method is that the PIV standards don’t call for a key size greater than 2048 bits.  I prefer the 4096 bit rsa key for SSH, but 2048 is my bare minimum, and that’s available.

I literally followed this already written excellent guide, and it just worked.

Using ssh-keygen -fl on the public key pulled from that ${OPENSC_LIBS}/ path showed a 2048 bit rsa key without having to pass any extra flags to try to adjust bit size.

In case that guide changes, here are the steps:

Install OpenSC as a package if available.

Download and compile (./config && make && sudo make install) the yubikey-piv-tool from here.

yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
export OPENSC_LIBS=/usr/lib/x86_64-linux-gnu/lib
ssh-keygen -D ${OPENSC_LIBS}/ -e

To use this, you need to call that ${OPENSC_LIBS}/ file as if it is your private key.  You can either use the -I flag for ssh, or use the -s flag for ssh-add to load this.  As long as the yubikey is plugged in when you try to load the key, it’ll work.

Please note that the default PIN is 123456.  They don’t tell you that in the guide, but that’s the default.  You probably want to change this PIN at some point, if you’re following along.

I’m still hashing out the OpenPGP SmartCard using GnuPG gpg-agent.  It is far more complicated.  I’m hoping it does allow for larger keys, though.  We’ll find out when we get it Lab approved.