Document how to use yubihsm with openssh

[blaufish]

Perhaps you could test and document how to use OpenSSH with YubiHSM?

These are my current steps, mostly derived from https://access.redhat.com/articles/1523343 but with a number of changes:

• Build openssh with https://github.com/openssh/openssh-portable/pull/87. (This code will be replaced by https://bugzilla.mindrot.org/show_bug.cgi?id=2430 being developed by openssh developers to resolve same issue.)
• pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login --usage-sign --keypairgen --key-type rsa:2048 --label sshrsakey
• Remember "ID: XXXX" outputed here, you'll need it further down
• certtool --generate-self-signed --outfile=id_rsa.cert --provider=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --load-privkey "pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=YOUR_SERIAL;token=YubiHSM;id=%1b%ba;object=sshrsakey;type=private"
• pkcs11-tool --login --module=/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --write-object cert.pem --type cert --id XXXX --label sshrsakey
• ./ssh-keygen -v -D /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
• _copy ssh-key to ~/.ssh/authorizedkeys
• ./ssh -I /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so USERNAME@127.0.0.1

[Go2Device]

Hello Blaufish, from where you get the _yubihsmpkcs11.so module? I install on Ubuntu 18.04.1 LTS from the Yubico PPA yubikey-piv-manager, but didn't find this module on my machine. After installing gnutls-bin i able to use opensc-pkcs11.so:

ubuntu@ubuntu:~$ pkcs11-tool --list-slots --module=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so Available slots: Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID 00 00 token label : PIV Card Holder pin (PIV_II) token manufacturer : piv_II token model : PKCS#15 emulated token flags : login required, rng, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : XXXXXXXXXX(removed) pin min/max : 4/8 Slot 1 (0x4): Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 01 00 (empty)

[blaufish]

@Go2Device this issue was about YubiHSM (2), not Yubikey.

Yubikey and other PKCS#11 modules based on wrapping a PIV applet seems to be what OpenSSH is developed and tested against. So most simple USB sticks and smartcards with a PIV applet is expected to work with OpenSSH. Mosts HSMs and other fully fledged provider are not expected to work (well) with OpenSSH.

OpenSSH without patches (at least in March when I tested this) have two issues;

• Some portion of the code does not work with PKCS#11 providers that does not show keys before login, i.e. most HSMs. This can be worked around with using other tools to get access to the key, but I am not sure it is reliable without fixes in the code base. So for YubiHSM, ymmv due to current bug status in OpenSSH. References: https://bugzilla.redhat.com/show_bug.cgi?id=1241873 https://bugzilla.mindrot.org/show_bug.cgi?id=2430
• CA/Certificate based authentication with PKCS#11 providers is not implemented at all. Public key authentication (the traditional .pub files). I think this also is in the openssh bug trackers.

[joostd]

Thank you @blaufish for the suggestion, and apologies for leaving this issue open for so long. I am now closing it however, as I don't think a YubiHSM is typically used for securing user access to SSH servers. It may very well be used as a CA for SSH certificates, or for storing server keys, and this can be achieved through the PKCS#11 module distributed via our YubiHSM SDK.