Episode 2.0 — PIV is life!
With multi-factor authentication on the rise, I wanted to take a some time and talk about an often forgotten method of providing two-factor, and that’s with Smart Cards! Yubico has provided a relatively consumer-friendly method to do just this with the release of the Yubikey4. It’s not just for governments anymore. Couple this with open source technologies such as FreeIPA.
These steps are assuming that you have a FreeIPA server already set up with a CA.
On the FreeIPA server, we must first obtain a kerberos ticket for a user with privileges to create users and user certificates.
[root@ipa ~]# kinit admin@EXAMPLE.LOCAL
Password for admin@EXAMPLE.LOCAL:Let’s create a user!
[root@ipa ~]# ipa user-add — first=David — last=Sirrine — cn=’David Sirrine’ — homedir=/home/dsirrine — shell=/usr/bin/fish — password — sshpubkey=’$SSHPUBKEY’Note: This will prompt you for a password, so this is never in plain text, or in your bash history.
The output will look like the following:
User login [dsirrine]:
Password:
Enter Password again to verify:
— — — — — — — — — — -
Added user “dsirrine”
— — — — — — — — — — -
User login: dsirrine
First name: David
Last name: Sirrine
Full name: David Sirrine
Display name: David Sirrine
Initials: DS
Home directory: /home/dsirrine
GECOS: David Sirrine
Login shell: /usr/bin/fish
Principal name: dsirrine@EXAMPLE.LOCAL
Principal alias: dsirrine@EXAMPLE.LOCAL
User password expiration: 20180829155350Z
Email address: dsirrine@example.local
UID: 229800001
GID: 229800001
SSH public key: $SSHPUBKEY
SSH public key fingerprint: $SSHFINGERPRINT
Password: True
Member of groups: ipausers
Kerberos keys available: TrueYou can verify user creation, which will show a similar output from above.
[root@ipa ~]# ipa user-show dsirrineNow let’s get into the fun stuff! Let’s create the users certificate. This can be done in one of two ways.
IPA CLI Method
This method will use the IPA NSS database. The information required are:
principal = The user principal (uid) for whom the certificate is being created.
csr-profile-id = The certificate request profile shipped with FreeIPA
database = The IPA NSS Database
[root@ipa ~]# ipa cert-request — principal dsirrine — csr-profile-id userCert — database /etc/ipa/nssdb/OpenSSL Method
Let’s create the CSR config that will be used to generate the CSR.
[root@ipa ~]# cat << EOF > certrequest.cfg
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = exts
[ dn ]
commonName = “dsirrine”
[ exts ]
subjectAltName=email:dsirrine@example.local
EOFLet’s now create the private key.
[root@ipa ~]# openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
…………………………….+++
………………….+++
e is 65537 (0x010001)Create CSR
[root@ipa ~]# openssl req -new -key key.pem -out certrequest.csr -config certrequest.cfgFinally, we create certificate! We can now see where having a tool like IPA comes in handy, it takes our normally “prone to human error” methods and simplifies them.
[root@ipa ~]# ipa cert-request certrequest.csr \
— principal dsirrine \
— profile-id IECUserRolesThe expected output from the above is
Issuing CA: ipa
Certificate: $CERTBLOB
Subject: CN=dsirrine,O=EXAMPLE.LOCAL
Subject email address: dsirrine@example.local
Issuer: CN=Certificate Authority,O=EXAMPLE.LOCAL
Not Before: Wed Aug 29 17:41:39 2018 UTC
Not After: Sat Aug 29 17:41:39 2020 UTC
Serial number: 11
Serial number (hex): 0xBNow, to export the certificate and import it into the yubikey. To do this, we need the ipa cli tools and the tools provided by yubico to manage the piv applet and reader which are yubico-piv-tool and ykman.
[root@ipa ~]# ipa cert-show 11 — out ./dsirrine.pem
Issuing CA: ipa
Certificate: $CERTBLOB
Subject: CN=dsirrine,O=EXAMPLE.LOCAL
Subject email address: dsirrine@example.local
Issuer: CN=Certificate Authority,O=EXAMPLE.LOCAL
Not Before: Wed Aug 29 17:41:39 2018 UTC
Not After: Sat Aug 29 17:41:39 2020 UTC
Serial number: 11
Serial number (hex): 0xB
Revoked: False
Owner user: dsirrineWe’re going to use slot 9a as this is for PIV Authentication. We can validate this by checking the yubico-piv-tool help:
-s, — slot=ENUM What key slot to operate on (possible
values=”9a”, “9c”, “9d”, “9e”, “82”,
“83”, “84”, “85”, “86”, “87”, “88”,
“89”, “8a”, “8b”, “8c”, “8d”, “8e”,
“8f”, “90”, “91”, “92”, “93”, “94”,
“95”, “f9”)9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
9d is for Key Management
9e is for Card Authentication (PIN never checked)
82–95 is for Retired Key Management
f9 is for Attestation
To import the certificate, we need to know the piv manager pin and the applet pin. The defaults are:
manager pin: 010203040506070801020304050607080102030405060708
applet pin: 123456We’re going to use ykman to import the certificate
ykman piv import-certificate -m 010203040506070801020304050607080102030405060708 -P 123456 9a ./dsirrine.pemWe can validate this by checking the piv info using ykman
[root@ws dsirrine]# ykman piv info
PIV version: 4.2.7
PIN tries remaining: 3
CHUID: No data available.
CCC: No data available.
Slot 9a:
Algorithm: RSA2048
Subject CN: dsirrine
Issuer CN: Certificate Authority
Fingerprint: $FINGERPRINT
Not before: 2018–08–29 17:41:39
Not after: 2020–08–29 17:41:39Your Yubikey is now ready to use! To use this certificate to authenticate to a linux system, all you need to do is ensure that the host is a member of the IPA realm by joining the system through ipaclient and that “Enable smart card support” is checked in authconfig. When you log in, you will be prompted for the applet pin to unlock the card, the certificate is verified against the binary now stored in your user record, the CRL/OCSP is checked for certificate validity, and will log you in!
A special shout out to Josh Bressers and Kurt Seifried at the Open Source Security Podcast. You’re right, pki is hard, key management is harder, but tools like the yubikey and IPA are making it much simpler for regular users to be successful at it!
