In order to protect my workstation from unwanted access I enabled PAM Certificate Authentication on my ubuntu24.04 workstation.
Introduction
Yubico’s Yubikey hardware devices provide a powerful method for secure authentication, and one of the ways to use a Yubikey is through the PKCS#11 standard. PKCS#11 is a cryptographic token interface standard, allowing applications to perform cryptographic operations using hardware security modules (HSMs) or smart cards, like the Yubikey.
This article will guide you through the process of enabling Yubico’s PKCS#11 module on Ubuntu 24.04. By the end of this guide, you will be able to use your Yubikey for secure cryptographic operations with compatible applications such as SSH, OpenSSL, or PGP.
Prerequisites
Before starting, ensure you have the following:
- A Yubikey device.
- A computer running Ubuntu 24.04.
- Administrative (sudo) access to your system.
- An internet connection to install necessary packages.
Step 1: Install Required Packages
Yubico’s PKCS#11 module can be installed on Ubuntu through the Yubico repository. To begin, update your system and install the necessary dependencies.
-
Update your system:
-
Install the required packages:
You will need to install the
yubico-pkcs11package, which contains the PKCS#11 module, as well as dependencies such aspcscd(the PC/SC daemon, required for communication with the Yubikey).yubico-pkcs11: The Yubico PKCS#11 module.pcscd: The daemon for communication with smart cards and other cryptographic devices.libpcsc-perl: Optional library for smart card communication.
Step 2: Enable and Start the PC/SC Daemon
The pcscd daemon is essential for communicating with your Yubikey. It must be running to interact with the Yubikey device.
-
Enable and start
pcscd: -
Check the status of the service:
To ensure that the daemon is running correctly, use the following command:
If the service is running properly, it should display an active status.
Step 3: Verify Yubikey Recognition
Insert your Yubikey into a USB port and verify that it is recognized by your system.
-
Check the list of USB devices:
Use the
lsusbcommand to ensure that your Yubikey is detected. Look for an entry like this:This should display the Yubico device if it’s properly detected.
-
Check if the Yubikey is available for use:
You can use the
yubico-pkcs11-toolto list the available tokens (Yubikeys) connected to the system:This should return information about your Yubikey if everything is set up correctly.
Step 4: Configure the PKCS#11 Module
The next step is configuring the PKCS#11 module to use your Yubikey. The configuration process depends on the application you’re using (e.g., OpenSSH, OpenSSL, GnuPG), but we’ll configure the environment for general use here.
-
Create the
PKCS11module configuration directory:The configuration files for PKCS#11 modules are usually located in
/etc/crypto-policies/back-ends/. Create the directory if it doesn’t already exist: -
Link the Yubico PKCS#11 module to the appropriate configuration file:
The Yubico PKCS#11 module must be added to the configuration so that applications can access it. You can do this by linking the Yubico PKCS#11 shared library to the appropriate system-wide configuration file.
This ensures that the Yubikey PKCS#11 module is available for cryptographic operations.
Step 5: Configure Applications to Use Yubikey PKCS#11 Module
Now that the Yubico PKCS#11 module is installed and configured, it can be used by compatible applications. Here are some common applications that support PKCS#11:
1. SSH with Yubikey for Authentication
To use your Yubikey for SSH authentication, you need to ensure that the OpenSSH client is configured to use the PKCS#11 module.
-
Install the OpenSSH client (if not already installed):
-
Modify your SSH configuration to load the PKCS#11 module:
Edit the
~/.ssh/configfile to include the following configuration:This tells SSH to use the Yubikey for authentication via the PKCS#11 module.
2. OpenSSL with Yubikey
To use the Yubikey with OpenSSL, you can load the PKCS#11 module in your OpenSSL configuration.
-
Set the PKCS#11 environment variable:
Add the following line to your shell configuration (e.g.,
~/.bashrc): -
Use OpenSSL commands:
Once this is configured, you can use OpenSSL commands that support PKCS#11, such as signing or encryption operations, using the Yubikey.
3. GnuPG (GPG) with Yubikey
To use your Yubikey for GPG operations, you need to configure GnuPG to recognize and use the PKCS#11 module.
-
Install the necessary packages:
-
Configure GPG to use the PKCS#11 module:
Edit your
~/.gnupg/gpg.conffile to include the following line:Additionally, edit
~/.gnupg/scdaemon.confto point to the Yubico PKCS#11 module:GPG should now be able to use your Yubikey for operations like signing, encrypting, and decrypting messages.
Step 6: Test the Setup
Test that the Yubikey is properly integrated by performing some cryptographic operations. For example:
- SSH: Try logging into a remote server using the Yubikey as your authentication method.
- GPG: Attempt to sign a message using GPG with your Yubikey.
- OpenSSL: Try using OpenSSL to generate a key pair or sign a file.
If all tests are successful, your Yubikey is now fully integrated with your system via PKCS#11.
Conclusion
Enabling Yubico’s PKCS#11 module on Ubuntu 24.04 allows you to integrate your Yubikey into various applications, providing enhanced security for authentication and cryptographic operations. By following the steps in this guide, you should be able to seamlessly use your Yubikey for SSH, OpenSSL, GPG, and other compatible applications.
Leave a Reply