Staf Wagemakers

Hi, I’m staf…

Protecting your SSH keys with SmartCard-HSM

3 minute read

I use a yubi key for my ssh authentication. But I’ve other ssh keys for my remote services so wanted something that allows me to take a backup of my keys see this post for more information on to backup/restore a SmartCard-HSM

Create your first ssh keypair

Verify your smartcard connection

Insert you smartcard and verify the connection, see my previous post if you need more information about the smartcard initialization

[staf@vicky ~]$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Generic Smart Card Reader Interface [Smart Card Reader Interface
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.2
  serial num         : DECM0102331
[staf@vicky ~]$

Create your keypair

Create your ssh key pair and give the a meaningful label

[staf@vicky ~]$ pkcs11-tool --slot 1 --keypairgen --key-type rsa:2048 --label my_ssh_key --login
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      encrypt, verify, wrap
[staf@vicky ~]$

Extract your public key

We used PKCS11 to generate the keypair, PKCS15 is designed identify users to applications.

Dump the token content

Dump the token content to get the id of your ssh keypair.

[staf@vicky ~]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102331
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {efac9b29-2289-658c-98d1-af5af965d484}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Private RSA Key [my_ssh_key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        MD:guid        : {a272b2ad-ff6f-606c-801a-4153be498018}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

Public RSA Key [my_ssh_key]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        DirectValue    : <present>

[staf@vicky ~]$

Get the public key

[staf@vicky ~]$ pkcs15-tool --read-ssh-key fca6240eeef8d3156f0c4dfc591b2d938d6104cb
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWShfPjqh+pU8lCoIhXIXh+cGpSem1iNFH6TuluQQLPiqPIeObCTfqC8q9TjR/2FYzG+3ECdiRr0fiywE9OnzUgJI5oOjXfMwY3xE1PbYBrSvYERofhkEv2ejlyRifN3sbLGSU0V7pX+BNOuiJCquCehPMV9+ehkjbk9hPRFUzL1GywsOkmWUoIzrdjH0dlhPX3TUCdoizWAIdUqg+RX4DCEc52RvaGdX4Tn2THxeffXqFJ/gKkParZSLmOND1iRhtJeJ8CmgAqfD8ReshbcSs231h/QvUl3JaThcrLbPrSQFzVUH+rN+pGlSl722NWyPNPWlwwE+SreTLbQRoWayN my_ssh_key
[staf@vicky ~]$

Configure the remote host

Add the key to the remote host

staf@vicky .ssh]$ vi authorized_keys 
[staf@vicky .ssh]$

Test the connection

Test you ssh connection with the PKCS11 interface:

[staf@vicky ~]$ ssh localhost
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

With the PKCS11 interface enabled:

[staf@vicky ~]$ ssh -o "PKCS11Provider opensc-pkcs11.so" localhost
C_GetAttributeValue failed: 18
Enter PIN for 'SmartCard-HSM (UserPIN)': 
Last login: Thu Dec  3 09:55:23 2015 from ::1
gpg-agent[17327]: enabled debug flags: command cache ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
[staf@vicky ~]$

Update your ssh_config

Add PKCS11Provider opensc-pkcs11.so to your ~/.ssh/config or your global ssh_config

staf@vicky ~]$ cd .ssh/
[staf@vicky .ssh]$ vim config
PKCS11Provider opensc-pkcs11.so
[staf@vicky .ssh]$

** Have fun … **

Leave a comment

You may also enjoy

Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD. https://stafwag.github.io/blog/blog/2023/09/10/migrate-from-ezjail-to-bastille-part1-introduction-to-bastillebsd/

tianocore

Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

OpenBSD 7.4

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Read more...

Getting started with GitLab-CE. Part 1: Installation

12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.

jenkins

Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.

Read more...