5 comments

[ 3.1 ms ] story [ 17.1 ms ] thread
My notes on setting up a Yubikey to keep private SSH key on it. There were a bunch of existing guides, but non covered everything or had extra steps that aren't necessary.
These steps didn't work for me; I failed at creating the self-signed certificate:

  yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" --valid-days=3650 -i yubikey.pub.pkcs8 -o cert.pem -v
  trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID'.
  Action 'verify-pin' does not need authentication.
  Action 'selfsign-certificate' does not need authentication.
  Now processing for action 'verify-pin'.
  Enter PIN:
  Successfully verified PIN.
  Now processing for action 'selfsign-certificate'.
  Failed sign command with code 6a80.
  Failed signing certificate.
I haven't yet figured out what 6a80 means. Does this guide assume the Yubikey is in any particular state?
Thank you. I've been waiting for a decentv write upb to gain confidence in this process.

I usually save a gpg .ASC of the private key a encoded in something I have confidence in but a pkcs12 with long passphrase might be better.

Fantastic guide. Is there any android ssh application that can use the key stored on a yubi key nfc?
Yes, TermBot (Fork of ConnectBot with YK support) can use the Authentications key of the OpenPGP applet for SSH using OpenKeychain.

Works like a charm but you need have the key in the OpenPGP applet, not the PIV applet.