Skip to main content

YubiKey Neo + Putty SSH + Windows

I have been using Yubikey Neo to manage my OpenSSH key in a CCID at work. I have made it work in Ubuntu and MacOS with relative ease, but most of my colleagues are on Windows and wondered how this could be done on the M$ platform. So I decided to give it a shot and try it out on their newly released Windows 10 (or shall we call it WinOS X )

Step 0: Get YubiKey Neo configured as CCID

Of course you have to buy this hardware before we can even begin. Before your Yubikey appears as a CCID  you will need to use YubiKey Neo Manager to enable it. See the following screenshot. 

You cannot have a password for your Yubikey when you are changing the modes. If you do then you will have to delete that configuration with YubiKey personalization tool. Make sure to exit the GUI applications before you start using console later.

Step 1: Check if you Yubikey works.

You will need have gpg executable installed. Gpg4Win to interact with your Yubikey

C:\>gpg --card-edit
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 0'
Application ID ...: REDACTED
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: REDACTED
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card>

A caveat here is that a few months back there was an advisory regarding Yubikeys with OpenPGP applet version ≤ 1.0.9 being compromised. See the website to make sure that the key you have has non compromised version. 

Step 2: Generate Keys

Now you can do things in steps described in some blog entries. Just make sure that you use the correct PINs the first time (the console will tell you default pins, otherwise you may have to RESET your applet)

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

 Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

 gpg: 3 Admin PIN attempts remaining before card is permanently locked

 Please enter the Admin PIN

 Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at 08/02/16 15:18:08
Is this correct? (y/N) y

 You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

 Real name: User Name
Email address: user@email.com
Comment: Department
You selected this USER-ID:
    "User Name <user@email.com>"

 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? C
Comment: Department2
You selected this USER-ID:
    "User Name (Department 2) <user@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (26 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (34 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: C:/Users/hatsha/AppData/Roaming/gnupg\trustdb.gpg: trustdb created
gpg: key 60C2B662 marked as ultimately trusted
public and secret key created and signed.

 gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-08-02
pub   REDACTED/REDACTED 2015-08-03 [expires: 2016-08-02]
      Key fingerprint = 5ABF D138 BB53 3F9C 133D  DD9A 793B D949 60C2 B662
uid                  User Name (Department 2) <user@email.com>
sub   2048R/REC2015-08-03 [expires: 2016-08-02]
sub   2048R/D0AD1A73 2015-08-03 [expires: 2016-08-02]

Step 3: Use Keys

Next step is to use the generated SSH Key. The easiest way I have found on  Windows is to use an agent that requires a registration. The fee is nominal (1 Euro)/key. After following the instructions you can start the agent and should see keys in the agent if Yubikey pgp is working


While you can export the SSH key out of pgp (so you can put it in your servers/opsworks stack). I just take the easy route and login to a server with password and do an ssh-add -L to get the keys. Don't forget to forward your key from putty though.



Labels:

Comments

  1. Stefan SchüttSeptember 7, 2016 at 3:28 PM

    Thank you very much for your detailed instruction. In Step 2 you should add that prior to "gpg/card> generate" you will have to allow admin commands with "gpg/card> admin".

    ReplyDelete
  2. Stefan SchüttSeptember 7, 2016 at 3:31 PM

    Thank you very much for this detailed description. You might add in step 2 that prior to "gpg/card> generate" one has to perform "gpg/card admin" in order to allow commands.

    ReplyDelete
    Replies
    1. geoaxisOctober 20, 2016 at 7:29 AM

      thanks, yes I will try to replicate this again on MacOS sierrra soon and update instructions.

      Delete

Post a Comment

Popular posts from this blog

Neo4j Graphgists: The most educational gists in my opnion

I am really glad that interest in Neo4j education is picking up and NeoTechnolgoy is taking a fun approaches to help people learn graph databases. These efforts tie in neatly with my suggestions regarding Neo4j community outreach. Back in 2012 we had the Neo4j heroku challenge . At that time Cypher was just coming out and the aim of heroku challenge was to get people comfortable with code/cloud and Neo4j. In the last year or so Cypher has evolved considerably and now it is a great initiative by the Neo4j-community-team to hold a challenge that focused on Cypher and graph modelling. In this post I would like to go through my personal favourite gists from this challenge. I have a " fair " understanding of modelling with graphs; yet I learn some thing new and interesting, almost every time, when I am looking at other people's graph models (and that was my personal motivation when I began reviewing the gists ). I am not sure how the voting for this challenge will be d
Post a Comment
Read more

Securing your Ansible deployment on AWS

Lately I have been involved in a team which is developing software as micro-services. It is very interesting work and has helped me to get introduced to some interesting technologies such as AWS Ansible and Docker in depth (and in practice). Ansible is a great deployment automation tool. It is made in python, is declarative and agent-less (i.e. it just needs SSH access to your box). SSH it self is very secure if you use key based authentication. But people tend to use it in very insecure manner (i.e they share SSH keys on email, don't delete old SSH keys once they are revoked etc). In my opinion the best solution to stop sharing of private keys is to generate them on a hardware token from which they cannot be (easily) copied. Fortunately I have access to Yubico Neo  on which I managed to generate a public/private gpg key. The private key resides in your gpg card and public key can be put in your Ansible target hosts. There are quite a few guides ( Mac , Linux , Windows)
Post a Comment
Read more