The Lab – Gear Check – Of Bunnies and Yubikeys

At some point today, Hak5 is rumored to be releasing their newest gizmo.  This device is the Bash Bunny, and that’s about all I know about it, but I’m eagerly anticipating discovering what I can about it.  It’s some kind of USB based attack device.  Some have speculated that it’s a USB Rubber Ducky on steroids, and others have speculated it might be similar to a Raspberry Pi Zero with case and special hardware.  We’ll just have to check throughout the day and hope it’s something in the Lab Budget range.

Monday, I posted the broad overview of how the GnuPG gpg-agent based ssh set up on the Yubikey should probably somewhat go.  Tuesday, I had the opportunity to look at the other piece that caught my eye.  The “PIV SmartCard” functionality mentioned means downloading and compiling a single tool from Yubico called the yubikey-piv-tool.

I was actually able to install a couple of prerequisite packages, compile the tool, and use it to configure the PIV SmartCard authentication slot today, and testing worked like a charm.  My only beef with this method is that the PIV standards don’t call for a key size greater than 2048 bits.  I prefer the 4096 bit rsa key for SSH, but 2048 is my bare minimum, and that’s available.

I literally followed this already written excellent guide, and it just worked.

Using ssh-keygen -fl on the public key pulled from that ${OPENSC_LIBS}/ path showed a 2048 bit rsa key without having to pass any extra flags to try to adjust bit size.

In case that guide changes, here are the steps:

Install OpenSC as a package if available.

Download and compile (./config && make && sudo make install) the yubikey-piv-tool from here.

yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
export OPENSC_LIBS=/usr/lib/x86_64-linux-gnu/lib
ssh-keygen -D ${OPENSC_LIBS}/ -e

To use this, you need to call that ${OPENSC_LIBS}/ file as if it is your private key.  You can either use the -I flag for ssh, or use the -s flag for ssh-add to load this.  As long as the yubikey is plugged in when you try to load the key, it’ll work.

Please note that the default PIN is 123456.  They don’t tell you that in the guide, but that’s the default.  You probably want to change this PIN at some point, if you’re following along.

I’m still hashing out the OpenPGP SmartCard using GnuPG gpg-agent.  It is far more complicated.  I’m hoping it does allow for larger keys, though.  We’ll find out when we get it Lab approved.