-1

How do I generate SSH keys inside my yubikey, on Ubuntu?

There seems to be nowhere to look for this info.

Guerlando OCs
  • 405
  • 4
  • 14
  • See https://developers.yubico.com/SSH/ – mti2935 Apr 04 '22 at 01:04
  • @mti2935 this is for generating the keys on the computer and then sending to yubikey – Guerlando OCs Apr 04 '22 at 01:12
  • 2
    Can you generate keys *on the Yubikey* in any method? – schroeder Apr 04 '22 at 08:47
  • 2
    Further, what is the threat vector which precludes you from following the linked procedure? Generate it, send it to yubikey and then securely delete it. This would only be unacceptable if the resource generating the key is not completely in your control. – foreverska Apr 04 '22 at 18:35
  • @foreverska firmware malwares could mess with the kernel's random number generator – Guerlando OCs Apr 05 '22 at 14:30
  • 3
    Boy, what an attack vector. The private key to an ed25519 key is any given random number. Rolling a 32 sided die gives you a nice 6bits of information per roll, you need 256. I'd start rolling because I can't find reference that it's possible to generate keys inside a yubikey. – foreverska Apr 05 '22 at 14:50
  • 2
    I'll ask again... "Can you generate keys on the Yubikey in any method?" You ask about doing it on Ubuntu, but does the OS matter? Does the device even have this functionality? I'm thinking that this isn't a security question but a product support question. This sounds like a "does this product have this function?" question. Have you asked Yubikey? – schroeder Apr 06 '22 at 12:31
  • @schroeder I used a yubikey, sent my own private key, used for ssh, 2fa, etc. And the OS matters because usually you need some driver to interact with the yubikey and tell it to generate the key. I think this fits this forum because it's a question about usage of something basic on authentication and there's nothing on the web about it – Guerlando OCs Apr 06 '22 at 17:56
  • I'm afraid that I don't understand what you wrote, but it does not appear to answer my question. But "usage of something basic on authentication" is not what this is. You want to know how to get this device to do something specific. That's a product support question. – schroeder Apr 06 '22 at 18:55

1 Answers1

2

I asked the question verbatim on reddit r/yubikey and got the following answer, along with another with some reference to gpg.

ssh-keygen -t ed25519-sk -O resident # resident means, that the key will be generated on the yubikey
It produce the following output:

user@pc:~$ ssh-keygen -t ed25519-sk -O resident
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ed25519_sk
Your public key has been saved in /home/user/.ssh/id_ed25519_sk.pub
The key fingerprint is: SHA256:ztpJ8rTSlo07BQ0LyL6hI2X9/CE9fTdy0EQZhAnxc74 user@pc

https://www.reddit.com/r/yubikey/comments/tzfgas/generating_key_inside_yubikey/

foreverska
  • 1,115
  • 11
  • `Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):` wouldn't it generate in the local OS? – Guerlando OCs Apr 09 '22 at 02:44
  • If you have a reddit account, the person in that thread seems to be very knowledgeable. BUT, '-o resident' was explained as the option which forces the yubikey to generate the key on device. Instead of passing back the private key it seems to pass back a "handle" to the key on the device. Per this thread: https://www.reddit.com/r/sysadmin/comments/hzxdbf/what_does_sk_stand_for_in_ecdsask_and_ed25519sk/ – foreverska Apr 09 '22 at 03:05