Episode 2.0 — PIV is life!

David Sirrine
Sep 6, 2018 · 4 min read

With multi-factor authentication on the rise, I wanted to take a some time and talk about an often forgotten method of providing two-factor, and that’s with Smart Cards! Yubico has provided a relatively consumer-friendly method to do just this with the release of the Yubikey4. It’s not just for governments anymore. Couple this with open source technologies such as FreeIPA.

These steps are assuming that you have a FreeIPA server already set up with a CA.

On the FreeIPA server, we must first obtain a kerberos ticket for a user with privileges to create users and user certificates.

[root@ipa ~]# kinit admin@EXAMPLE.LOCAL
Password for admin@EXAMPLE.LOCAL:

Let’s create a user!

[root@ipa ~]# ipa user-add — first=David — last=Sirrine — cn=’David Sirrine’ — homedir=/home/dsirrine — shell=/usr/bin/fish — password — sshpubkey=’$SSHPUBKEY’

Note: This will prompt you for a password, so this is never in plain text, or in your bash history.

The output will look like the following:

User login [dsirrine]:
Password:
Enter Password again to verify:
— — — — — — — — — — -
Added user “dsirrine”
— — — — — — — — — — -
User login: dsirrine
First name: David
Last name: Sirrine
Full name: David Sirrine
Display name: David Sirrine
Initials: DS
Home directory: /home/dsirrine
GECOS: David Sirrine
Login shell: /usr/bin/fish
Principal name: dsirrine@EXAMPLE.LOCAL
Principal alias: dsirrine@EXAMPLE.LOCAL
User password expiration: 20180829155350Z
Email address: dsirrine@example.local
UID: 229800001
GID: 229800001
SSH public key: $SSHPUBKEY
SSH public key fingerprint: $SSHFINGERPRINT
Password: True
Member of groups: ipausers
Kerberos keys available: True

You can verify user creation, which will show a similar output from above.

[root@ipa ~]# ipa user-show dsirrine

Now let’s get into the fun stuff! Let’s create the users certificate. This can be done in one of two ways.

IPA CLI Method

This method will use the IPA NSS database. The information required are:
principal = The user principal (uid) for whom the certificate is being created.
csr-profile-id = The certificate request profile shipped with FreeIPA
database = The IPA NSS Database

[root@ipa ~]# ipa cert-request — principal dsirrine — csr-profile-id userCert — database /etc/ipa/nssdb/

OpenSSL Method

Let’s create the CSR config that will be used to generate the CSR.

[root@ipa ~]# cat << EOF > certrequest.cfg
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = exts
[ dn ]
commonName = “dsirrine”
[ exts ]
subjectAltName=email:dsirrine@example.local
EOF

Let’s now create the private key.

[root@ipa ~]# openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
…………………………….+++
………………….+++
e is 65537 (0x010001)

Create CSR

[root@ipa ~]# openssl req -new -key key.pem -out certrequest.csr -config certrequest.cfg

Finally, we create certificate! We can now see where having a tool like IPA comes in handy, it takes our normally “prone to human error” methods and simplifies them.

[root@ipa ~]# ipa cert-request certrequest.csr \
— principal dsirrine \
— profile-id IECUserRoles

The expected output from the above is

Issuing CA: ipa
Certificate: $CERTBLOB
Subject: CN=dsirrine,O=EXAMPLE.LOCAL
Subject email address: dsirrine@example.local
Issuer: CN=Certificate Authority,O=EXAMPLE.LOCAL
Not Before: Wed Aug 29 17:41:39 2018 UTC
Not After: Sat Aug 29 17:41:39 2020 UTC
Serial number: 11
Serial number (hex): 0xB

Now, to export the certificate and import it into the yubikey. To do this, we need the ipa cli tools and the tools provided by yubico to manage the piv applet and reader which are yubico-piv-tool and ykman.

[root@ipa ~]# ipa cert-show 11 — out ./dsirrine.pem
Issuing CA: ipa
Certificate: $CERTBLOB
Subject: CN=dsirrine,O=EXAMPLE.LOCAL
Subject email address: dsirrine@example.local
Issuer: CN=Certificate Authority,O=EXAMPLE.LOCAL
Not Before: Wed Aug 29 17:41:39 2018 UTC
Not After: Sat Aug 29 17:41:39 2020 UTC
Serial number: 11
Serial number (hex): 0xB
Revoked: False
Owner user: dsirrine

We’re going to use slot 9a as this is for PIV Authentication. We can validate this by checking the yubico-piv-tool help:

-s, — slot=ENUM What key slot to operate on (possible
values=”9a”, “9c”, “9d”, “9e”, “82”,
“83”, “84”, “85”, “86”, “87”, “88”,
“89”, “8a”, “8b”, “8c”, “8d”, “8e”,
“8f”, “90”, “91”, “92”, “93”, “94”,
“95”, “f9”)
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
9d is for Key Management
9e is for Card Authentication (PIN never checked)
82–95 is for Retired Key Management
f9 is for Attestation

To import the certificate, we need to know the piv manager pin and the applet pin. The defaults are:

manager pin: 010203040506070801020304050607080102030405060708
applet pin: 123456

We’re going to use ykman to import the certificate

ykman piv import-certificate -m 010203040506070801020304050607080102030405060708 -P 123456 9a ./dsirrine.pem

We can validate this by checking the piv info using ykman

[root@ws dsirrine]# ykman piv info
PIV version: 4.2.7
PIN tries remaining: 3
CHUID: No data available.
CCC: No data available.
Slot 9a:
Algorithm: RSA2048
Subject CN: dsirrine
Issuer CN: Certificate Authority
Fingerprint: $FINGERPRINT
Not before: 2018–08–29 17:41:39
Not after: 2020–08–29 17:41:39

Your Yubikey is now ready to use! To use this certificate to authenticate to a linux system, all you need to do is ensure that the host is a member of the IPA realm by joining the system through ipaclient and that “Enable smart card support” is checked in authconfig. When you log in, you will be prompted for the applet pin to unlock the card, the certificate is verified against the binary now stored in your user record, the CRL/OCSP is checked for certificate validity, and will log you in!

A special shout out to Josh Bressers and Kurt Seifried at the Open Source Security Podcast. You’re right, pki is hard, key management is harder, but tools like the yubikey and IPA are making it much simpler for regular users to be successful at it!

Notes:
Yubikey PIV Introduction
PIV Standards
PKI in FreeIPA

The Open Files

Deep Dives on Awesome Tech, with lots of bad jokes.

    David Sirrine

    Written by

    The Open Files

    Deep Dives on Awesome Tech, with lots of bad jokes.

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade