Yubikey
De Linuxmemo.
- compare-yubikey
https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/
The default values for:
PIN: 123456 PUK: 12345678 Management Key: 010203040506070801020304050607080102030405060708
[modifier] Définitions
https://fr.wikipedia.org/wiki/Authentification_forte
- U2F ("Universal 2nd Factor" ou "Universal Second Factor")
Norme d’authentification libre qui vise à renforcer et à simplifier l’authentification à deux facteurs en utilisant des périphériques USB ou à communication en champ proche.
[modifier] 2 interfaces avec tout les modes disponibles
- USB
- NFC
[modifier] 3 modes pour la Yubikey:
[modifier] Clavier - OTP (One Time Password)
[modifier] Yubico OTP - serveur interne Yubico
[modifier] Challenge-reponse
[modifier] Static password
ykman otp static [OPTIONS] SLOT [PASSWORD] -g, --generate Generate a random password. -l, --length INTEGER RANGE Length of generated password. -k, --keyboard-layout [MODHEX|US|DE] Keyboard layout to use for the static password. [default: MODHEX] --no-enter Don't send an Enter keystroke after outputting the password. -f, --force Confirm the action without prompting. -h, --help Show this message and exit.
ykman otp static -g -l 32 -k MODHEX 1 #générer automatiquement un mot de passe statique de 32 caractère et l'enregistrer dans le slot 1 (garder la validation automatique retour de chariot automatique) ou ykman otp static -k MODHEX 1 ceci#et$mon%motdepasse
[modifier] OATH - HOTP (* 6 or 8 digit token)
OATH (openauthentication) is an organization that specifies two open authentication standards: TOTP and HOTP. https://openauthentication.org/ https://developers.yubico.com/OATH/
- TOTP
To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC(sharedSecret, timestamp), where timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware token.
Websites with TOTP support The website twofactorauth.org lists common websites that supports TOTP.
- HOTP
HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP devices requires no clock. HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
ykman oath [OPTIONS] COMMAND [ARGS]... ykman oath info ykman oath list ykman oath set-password -c # supprime le mot de passe de verrouillage de ma configuration ykman oath set-password -n password # nouveau mot de passe config "password"
[modifier] U2F-FIDO - HID protocol over USB
https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-hid-protocol.html
[modifier] Lecteur carte a puce - PIV (Personal Identity Verification)
[modifier] PIV certificate slots
Slot 9a: PIV Authentication
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.
Slot 9c: Digital Signature
This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The end user PIN is required to perform any private key operations. The PIN must be submitted every time immediately before a sign operation, to ensure cardholder participation for every digital signature generated.
Slot 9d: Key Management
This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting e-mails or files. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.
Slot 9e: Card Authentication
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.
Slot 82-95: Retired Key Management
These slots are only available on the YubiKey 4. They are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails. In the YubiKey 4 all 20 of them are fully available for use.
Slot f9: Attestation
This slot is only available on YubiKey version 4.3 and newer. It is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.
- GPG
https://www.youtube.com/watch?v=bFLBEgqG04I
[modifier] OATH (with Yubico Authenticator apps)
To sign in to any account that requires authenticator codes. (Use a YubiKey as a MFA device to replace Google Authenticator)
https://hackernoon.com/use-a-yubikey-as-a-mfa-device-to-replace-google-authenticator-b4f4c0215f2
When you use Google Authenticator or Authy in your phone, you have to scan a QR code using your camera, however as it’s obvious, you cannot do that with your YubiKey.
Instead, you will have to get a Base32 key and pass it to the YubiKey using the ykman tool previously installed. To add 2FA/MFA for a service using this tool, you need to provide both the aforementioned key and an identifier to help you identify your service/account later.
ykman oath add -t <SERVICE_NAME> <YOUR_BASE32_KEY>
The -t flag indicates you will need to touch your key in order to get the 6-digit code later. This is recommended to prevent malware to generate codes without any user intervention.
After running the previous command, you should now be able to generate a 6-digit code running ykman again.
ykman oath code <SERVICE_NAME>
It will ask you to touch your YubiKey, and then display the code in the screen.
[modifier] Yubikey with OpenGPG
https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
ykman openpgp info apt install scdaemon pcscd pcsc-tools gpg --card-status gpg --edit-key xxxxxxx toggle keytocard
gpg --edit-card help admin
[modifier] Gestion PIN
- PIN verification
yubico-piv-tool -a verify-pin -P 123456
- change PIN
yubico-piv-tool -a change-pin -P 123456 -N 888888
[modifier] configuration protection access code
For security reasons and for avoiding accidental reprogramming, YubiKeys can be protected using configuration protection access code. If the configuration protection access code is set, no one can reprogram the YubiKey unless the correct access code is provided during reprogramming. The following operations are supported:
YubiKey(s) unprotected - Keep it that way: Use this option if the YubiKey is currently unprotected and you want to keep it that way YubiKey(s) unprotected - Enable protection: Use this option if the YubiKey is currently unprotected and you want to enable the protection. You are required to provide the New Access Code if you select this option. YubiKey(s) protected - Disable protection: Use this option if the YubiKey is currently protected and you want to disable the protection. You are required to provide your Current Access Code if you select this option. YubiKey(s) protected - Keep it that way: Use this option if the YubiKey is currently protected and you want to keep it that way. You are required to provide your Current Access Code if you select this option. YubiKey(s) protected - Change access code: Use this option if the YubiKey is currently protected and you want to chagne the access code. You are required to provide your Current Access Code and New Access Code if you select this option.
Important Note: It is not possible to retrieve the access code from the YubiKey. Yubico highly recommends users to record the access code for each YubiKey programmed. This can be achieved easily by ensuring that logging is enabled and archiving the relevant log records.
[modifier] CLI
https://developers.yubico.com/yubikey-manager/
sudo apt-add-repository ppa:yubico/stable sudo apt update sudo apt install yubikey-manager
List connected YubiKeys, only output serial number: ykman list --serials Show information about YubiKey with serial number 0123456: ykman --device 0123456 info
ykman list ykman info
ykman otp swap Swaps the two slot configurations.
ykman piv change-pin -P 012345 -n 88888888 ykman piv change-puk -p 12345678 -n 76384512 Change the PUK from 12345678 to 76384512
ykman piv change-management-key -g
ykman piv import-certificate [OPTIONS] SLOT CERTIFICATE SLOT PIV slot to import the certificate to. CERTIFICATE File containing the certificate. Use '-' to use stdin. Options: -m, --management-key TEXT The management key. -P, --pin TEXT PIN code. -p, --password TEXT A password may be needed to decrypt the data. -h, --help Show this message and exit.
[modifier] Packages
sudo apt install yubioath-desktop yubikey-piv-manager yubico-piv-tool ykneomgr yubikey-manager yubikey-personalization-gui yubikey-manager-qt
[modifier] Astuce
- Générer une nouvelle management-key
key=`dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1`
- demo
https://demo.yubico.com/
- Liste des sites / apps utilisant:
https://www.yubico.com/works-with-yubikey/catalog/ https://twofactorauth.org/ https://www.dongleauth.info/
- alias
alias AdobeID="ykman oath code AdobeID" alias Amazon="ykman oath code Amazon" alias Autodesk="ykman oath code Autodesk" alias Firefox="ykman oath code Firefox" alias Github="ykman oath code Github" alias Google="ykman oath code Google" alias Microsoft="ykman oath code Microsoft" alias Sony="ykman oath code Sony" alias TeamViewer="ykman oath code TeamViewer"
- clavier AZERTY
ykpersonalize -S06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899a79e9fa0a1a2a3a4a5a6382b28
https://www.yubico.com/blog/yubikey-keyboard-layouts/
[modifier] NFC fonction for NEO
To verify you have a YubiKey NEO that supports NFC, check to see your YubiKey is running firmware version 3.4.0 or later.
https://support.yubico.com/support/solutions/articles/15000006448-using-u2f-over-nfc-with-your-yubikey-neo
The YubiClip app from the Google Play Store can capture the output from an NFC enabled YubiKey over NFC, and allow it to be pasted into any field on an Android device.
Note that the default NDEF programming needs to be used. If you've reprogrammed the NDEF tag of your YubiKey NEO, you will need to change it back to the URL: https://my.yubico.com/neo/
So URN assignments (NFC tag) https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml is not need.
[modifier] Pour en savoir plus
http://www.globalsecuritymag.fr/7-choses-que-vous-avez-toujours,20180829,80528.html https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual
[modifier] HowTo
- info
ykman info # SN, Modes, apps ykman otp info # savoir si les slots sont configurés ou ykinfo -a # savoir si les slots sont configurés (0/1)
- reset
ykman piv reset #reset piv complet avec config PIN PUK KEYMANAGER par défaut ykman mode o+f+c # activation de tous les modes ykman otp delete 1 #suppression de la configuration du slot 1 ykman otp delete 2 #suppression de la configuration du slot 2 ykman config set-lock-code -c #suppression du code de protection de la configuration
