This is a step-by-step for how to get a YubiKey with PIV to work for public-key authentication with OpenSSH through PKCS11. Primarily on a OS X or Linux system.
a YubiKey with the PIV application loaded
the yubico-piv-tool software
the OpenSC software
If you are using OSX El Capitan (10.11) or earlier, for ssh-agent to work a newer OpenSSH than is delivered with the system; macOS Sierra (10.12) contains a compatible version
|The following example assume that you have not yet changed the management key. If you have changed the management key, add
Generate or import a key in slot 9a (any slot should suffice):
Import the key (PEM format):
yubico-piv-tool -s 9a -a import-key -i key.pem
|If an external key is imported and there already exists a certificate step 2 can be skipped.|
Generate the key:
yubico-piv-tool -s 9a -a generate -o public.pem
|RSA 4096-bit keys are not currently supported due to a limitation in the PIV spec: https://github.com/Yubico/yubico-piv-tool/issues/58|
Create a self-signed certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 lib happy. They would want to be able to extract the public-key from the smartcard, and do that through the X.509 certificate.
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Load the certificate:
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
Find out where OpenSC has installed the pkcs11 module.
For OS X with binary installation this is typically in
/Library/OpenSC/lib/. Homebrew users can use
export OPENSC_LIBS=$(brew --prefix opensc)/lib.
For a Debian based system this is typically in
After this we’ll call this location
Export the public key in correct format for ssh and once you got it, add it to authorized_keys on the target system.
ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
|The command will export all keys stored on the YubiKey Neo. Hopefully it will keep the slot order so it should be not hard to guess which is the public key associated with your targeted private key.|
Authenticate to the target system using the new key:
ssh -I $OPENSC_LIBS/opensc-pkcs11.so email@example.com
This can also be setup to work with ssh-agent: (Optional)
ssh-add -s $OPENSC_LIBS/opensc-pkcs11.so
|On OS X prior to macOS 10.12 “Sierra” this typically requires installation of a third-party OpenSSH from Homebrew or the like and using that ssh-agent.|
To confirm that the ssh-agent correctly finds that key and getting the public key in correct format: