SSH Certificates and Yubikey

[PorgJuice]

Hi,

I followed this wonderful blog post about setting up a CA with step and a RasPi. Now that I have that working, I'd like to use the CA for ssh certs. How do I incorporate that into my Yubikey setup?

[tashian]

Hi @ProfessorSalty,

Thanks for the kind words, I'm glad the tiny CA is working out for you!

• For SSH CA support, you'll need the very latest version of step-ca, which supports using additional YubiKey PIV certificate slots 82-95 (called the "retired key management slots"). Otherwise you won't have enough certificate slots to have both X.509 and SSH CAs.

We don't have a tutorial for adding SSH support, but I can give you an overview of the steps you'll need to take:

0. Stop your step-ca

1. Generate SSH CA private keys on the YubiKey (probably into slots 82 and 83— but that depends on your setup. Be careful here because ykman appears to overwrite slots without asking). You'll need to use ykman for this. ykman will generate the private keys on the yubikey and output the public keys as PEMs:

   $ ykman piv keys generate -a ECCP256 82 ssh_host_ca_key.pem
   $ ykman piv keys generate -a ECCP256 83 ssh_user_ca_key.pem
   

   Then you need to convert the pems to the SSH public key format:

   $ ssh-keygen -i -f ssh_host_ca_key.pem -mPKCS8 > ssh_host_ca_key.pub
   $ ssh-keygen -i -f ssh_user_ca_key.pem -mPKCS8 > ssh_user_ca_key.pub
   

   These .pub files are your SSH host and user CA public keys. You can store them in /etc/step-ca/certs.

2. In your ca.json, you'll need to turn on SSH support and point to the YubiKey slots you configured for SSH. Run something like STEPPATH=/tmp/step-ssh step ca init --ssh to initialize a CA that has SSH support, and see how the CA configuration differs from an X.509 CA. At minimum you'll need:

   • An ssh object at the top level, containing userKey and hostKey fields pointing to the YubiKey slots you're using, eg:

         "ssh": {
         	"hostKey": "yubikey:slot-id=82",
         	"userKey": "yubikey:slot-id=83"
         },
     

   • An SSHPOP provisioner (for host certificate renewal)

   • "enableSSHCA": true turned on in the "claims" object for any provisioner that you want to use for SSH support.

3. Start your step-ca.

You should now be able to retrieve the SSH host and user CA keys from any step client:

$ step ssh config --host --roots
ecdsa-sha2-nistp256 AAAAE2Vj...7Cs=
$ step ssh config --roots
ecdsa-sha2-nistp256 AAAAE2V...gg=

You can also configure a CA with SSH host and user templates — which are used to make it easier to set up new clients and hosts, using step ssh config and step ssh config --host. The default step ca init --ssh configuration will add these templates and create the files used for them.

If setting it up on the YubiKey turns out to be too much of a hassle, an alternative would be to run an SSH CA on disk, but I don't think step-ca supports mixing YubiKeys with keys residing on the filesystem, so you'd have to run two CA servers.

Further reading: Our docs on YubiKey PIV support

Hope this helps,
Carl

[maraino]

@MSaratov The only place where error retrieving public key is displayed is

certificates/kms/yubikey/yubikey.go

Lines 204 to 206 in 35ede74

	if cert, err = k.yk.Certificate(slot); err != nil {
	return nil, errors.Wrap(err, "error retrieving public key")
	}

So it looks the code requires a certificate, but I think there might be a different way to do it, perhaps attesting that slot? Let me try with a clean Yubi.

[maraino]

Wait, it's trying to attest that key just before, so not attesting, can you print the error of the Attest command?

certificates/kms/yubikey/yubikey.go

Line 202 in 35ede74

cert, err := k.yk.Attest(slot)

[0x6c66]

@maraino I've also used ykman pic generate-key to create the keys. go run cmd/step-yubikey-init/main.go -crt-slot 82 --root-slot 83 --force is not working for me, though: error generating key: authenticating with management key: auth challenge: smart card error 6982: security status not satisfied. I chose to have the management key protected by the PIN. Maybe this has anything to do with it?

Regarding the error of the attest command -- it appears to be the data object or application not found part of the error message I posted initially.

Thank you for looking into this with me!

[maraino]

Have you tried to pass the management key with --management-key xxx the xxx has to be in hexadecimal format, this is the default 010203040506070801020304050607080102030405060708

[maraino]

@MSaratov we might want to move the debug to discord https://discord.gg/ACAeVdQNW5

[kaysond]

@tashian - sorry for the resurrection but I think it makes sense to have this information on this discussion. Do you know why things do not work if I import the SSH CA keys generated by step ca init to the yubikey, similar to the intermediate CA key?

If I do ykman piv keys import 82 secrets/ssh_host_ca_key (and similar for the user key in slot 83), I get command failed: smart card error 6a82: data object or application not found. If I do ykman piv keys generate as you suggest, though, it works.

[tashian]

My hunch is that it's an encoding issue, you may need to re-encode the SSH private key into a different format to get ykman to read it.

[kaysond]

Sorry my comment was unclear. The import succeeds. It's step-ca that gives me the error message. If I remove ssh from the config (but leave the yubikey kms, including the intermediate CA key on the yubikey) it starts up fine.

[kaysond]

In case anyone comes across this later, the answer is that you also need to import a certificate in the same slot because the PIV/PKCS#11 library extracts the public key from the certificate. See: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html (Step 2).

You can do this manually or have the yubikey generate the cert for you. First, convert step-ca's .pub key to .pem with ssh-keygen -f certs/ssh_host_ca_key.pub -e -m pem > certs/ssh_host_ca_key.pem, then generate the certificate with something like ykman piv certificates generate --hash-algorithm SHA512 --valid-days 3650 --subject "My SSH Host CA" 9d certs/ssh_host_ca_key.pem (where 9d is the slot where you've imported the private key)