Yubikey Neo
•Download as PPTX, PDF•
0 likes•413 views
What is the Yubikey Neo and what can you do with it? This is a brief overview of the device and its capabilities along with some information on how to use it for U2F authentication and ssh
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to Yubikey Neo
Similar to Yubikey Neo (20)
Recently uploaded
Recently uploaded (20)
Yubikey Neo
- 1. Yubikey Neo What is it and what can it do for me?
- 2. Yubikey Neo It’s a USB/NFC stick that acts as a physical security token Cross platform No drivers Acronyms! OTP CCID U2F
- 3. What Can I Do With It? Log into your computer Improve Password Managers like LastPass Generate strong passwords Secure access to password database Two Factor Auth to various web services Act as a physical SSH key Other things!
- 4. Using it as a U2F token You do have two factor auth enabled on your Google account right? 1. Add the key to your account 2. When you next log in, you’ll be prompted to enter your token. 3. There is no step 3
- 5. What about SSH keys? Make use of the smart card functionality to store a PKCS11 certificate on the key Generate an SSH public key from this and deploy to target servers SSH will use the opensc libraries to communicate with the key to access your private key
- 6. SSH: Prerequisites 1. A Unix-y system 2. A Yubikey Neo 3. The opensc and opensc-pkcs11 libraries installed 4. The yubikey-piv-tool installed 5. CCID enabled on the Neo
- 7. SSH: Generate The Key yubico-piv-tool -s 9a -a generate -o public.pem yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem yubico-piv-tool -a import-certificate -s 9a -i cert.pem
- 8. SSH: Deploy & Use ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so | ssh username@targethostname 'cat >> /ssh/authorized_keys' echo "PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" >> ~/.ssh/config ssh username@targethostname Enter PIN for 'PIV_II (PIV Card Holder pin)':
Editor's Notes
- I am by no means an expert! This is all based on my tinkering about and browsing through the yubico website.
- Small, relatively cheap (£40 for the Neo but other versions are cheaper, just less featureful). Manufactured by Yubico in the USA or Sweden Software and protocols are opensource OTP is One Time Password CCID is Chip Card Interface Device (Basically smart card via USB) U2F is Universal Two Factor Presents as a USB keyboard so touching the button is sufficient to send the OTP password to the computer It has two “slots” for configuring the bahaviour of the button. By default only the Yubico OTP is configured but you can choose from various OTP methods, challenge response or even a static password. The two slots are chosen by a short or long press. The U2F and CCID functionality are independent of these slots, so you can have 4 functions from one device.
- Log in to computer either makes use of a Yubico authentication server or locally configured list of users. Has PAM components (OTP, Challenge Response & U2F) for Linux & Mac OS X and a windows equivalent. Can be configured as the sole authentication method or as an additional one. Can be used as an authentication mechanism for password managers such as LastPass, Keepass, Passwordsafe etc. Stop having to remember a complex master password. Two Factor auth is done by using the U2F standard (supported by Google, Facebook, Dropbox and Wordpress) or OTP which is more widely supported You can generate and store a certificate on the key and from this produce a public ssh key that you deploy to target servers, more on that shortly. There is a wealth of information on the Yubico website and I’ve not explored it all yet, but I saw information on how to use the yubikey to sign code and integrate with full disk encryption setups. The code signing would be handy for Apple development as it’s all too easy to lose your credentials when moving machines etc.
- Two factor authentication is good, timed code apps like Google Authenticator are less good. U2F means you don’t need to type anything or wait for the timer to countdown, just insert your key, and touch the button. Doesn’t require you to carry your phone around or have it charged up. Currently requires Chrome browser but other browsers are implementing it also. https://accounts.google.com/b/0/SmsAuthSettings#securitykeys
- opensc is the Open Smart Card project, an implementation of the PKCS11 protocol/API
- The tools are all installable from packages under debian (and presumably other distros too), if not you can download and install them from the Yubico website For some reason the CCID functionality is disabled by default on the key, so you need to use the manager app to enable it.
- This generates a self signed key in slot 9a on the key (there are multiple slots with different use cases that basically enforce different levels of PIN checking) - for our use, it doesn’t really matter which one we use. By default the key has a PIN of 123456 - you’d want to change that before using it in the real world. This process creates a private PKCS11 key that is stored on the key. There are other techniques that generate it entirely on the device so it never exists on your computer but they’re more complex and I’m still figuring things out.
- This generates an ssh public key and copies it to your target host The PKCS11Provider line tells ssh to use the opensc libraries to communicate with the Yubikey. Without it, you need to specify the library each time you use ssh, which would be a pain. Now when you ssh to the server, when the key is present you will be prompted to enter your PIN to unlock the certificate, then you’re in. You can use ssh agent to cache this as with any ssh key/password. If you don’t have the key present then it will fall back to password based auth, unless that has been disabled on the server. This also works with git - add your ssh key to github, for example, and then you’ll be prompted for your PIN when performing git operations.