Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:21 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Tue Nov 24, 2015 9:04 pm 
Offline

Joined: Tue Nov 24, 2015 8:46 pm
Posts: 4
I'm trying to get PIV working again after i erased everything from my yk4.

I ran into some problems after testing all different things and erasing slot 1 & 2
Before i ran into troubles i found the tutorial on http://www.jupiterbroadcasting.com/8506 ... y-las-373/ and had SSH auth. with PIV working.

After i erased both slots, i imported the certificate again (yubico-piv-tool -a import-certificate -s 9a -i cert.pem ), and everything looked okay.
Code:
ssh-add -L
gives me the same public key as before
Code:
ssh-keygen -D /usr/local/lib/opensc-pkcs11.so
gives also the same pubkey
Code:
→ opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 OTP+U2F+CCID

Code:
→ opensc-tool -n
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID
PIV-II card


In
Code:
/etc/ssh/ssh_config
the last line is.
Code:
PKCS11Provider /usr/local/lib/opensc-pkcs11.so


Code:
→ ssh -v ds
OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/jasper/.ssh/config
debug1: /Users/jasper/.ssh/config line 1: Applying options for *
debug1: /Users/jasper/.ssh/config line 20: Applying options for ds
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 102: Applying options for *
debug1: Connecting to diskstation [fe80::211:32ff:fe2c:429%en1] port 22.
debug1: Connection established.
debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0
debug1: label <PIV_II (PIV Card Holder pin)> manufacturerID <piv_II> model <PKCS#15 emulate> serial <dfe90784a4debfe> flags 0x40d
debug1: have 1 keys
debug1: pkcs11_provider_unref: 0x7f96834013d0 refcount 2
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jasper/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p2-hpn14v4
debug1: match: OpenSSH_6.6p2-hpn14v4 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug1: Authenticating to diskstation:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DGUtiafnuStDg1mXoIY8iKk/n+qM45znekL1WpzTm+A
debug1: Host 'diskstation' is known and matches the ECDSA host key.
debug1: Found key in /Users/jasper/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /usr/local/lib/opensc-pkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 279
Enter PIN for 'PIV_II (PIV Card Holder pin)':
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: /usr/local/lib/opensc-pkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Trying private key: /Users/jasper/.ssh/id_rsa
debug1: Trying private key: /Users/jasper/.ssh/id_dsa
debug1: Trying private key: /Users/jasper/.ssh/id_ecdsa
debug1: Trying private key: /Users/jasper/.ssh/id_ed25519
no such identity: /Users/jasper/.ssh/id_ed25519: No such file or directory
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).


without the -vvv

Code:
→ ssh  ds
Enter PIN for 'PIV_II (PIV Card Holder pin)':
no such identity: /Users/jasper/.ssh/id_ed25519: No such file or directory
Permission denied (publickey,keyboard-interactive).



Does anyone have any tips to get it working again?

- Jasper


Attachments:
Certificates 2015-11-24 19-52-32.jpg
Certificates 2015-11-24 19-52-32.jpg [ 101.62 KiB | Viewed 3158 times ]
YubiKey NEO Manager (1.4.0) 2015-11-24 19-53-28.jpg
YubiKey NEO Manager (1.4.0) 2015-11-24 19-53-28.jpg [ 97.64 KiB | Viewed 3158 times ]


Last edited by Jasper on Wed Nov 25, 2015 7:28 pm, edited 1 time in total.
Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Nov 25, 2015 9:01 am 
Offline

Joined: Tue Nov 24, 2015 8:46 pm
Posts: 4
I've erased everything again according to http://forum.yubico.com/viewtopic.php?f=26&t=1941
rebooted
imported pem
but now it's telling me this:

Quote:
Enter PIN for 'PIV_II (PIV Card Holder pin)':
C_Sign failed: 32
no such identity: /Users/jasper/.ssh/id_ed25519: No such file or directory
Permission denied (publickey,keyboard-interactive).


When i'm passing in a wrong pin, it gives me:
Quote:
C_Login failed: 160


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 25, 2015 7:28 pm 
Offline

Joined: Tue Nov 24, 2015 8:46 pm
Posts: 4
I solved it.

It probably has something todo with the fact that i was importing my 'old' certificate and using cli-tools and gui through one another.

Here was my solution:
I've started
Code:
yubico PIV manager 1.1.1

tried to delete the certificate that was loaded, somehow it complained about the management while it was asking for my pin.
Then i entered a wrong for few times because i was fed up with that..
after resetting it, (all within the gui), setting a new pin, i generated a new certificate.
In terminal i tried
Code:
ssh-keygen -D /usr/local/lib/opensc-pkcs11.so
and it gave me a new pubkey.
I added that to my server and everything worked.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: YahooSeeker [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group