Skip to content

[DNR] add yubikey smartcard modules#33

Draft
py4chen wants to merge 3 commits intotheparanoids:mainfrom
py4chen:tmp/yubikey
Draft

[DNR] add yubikey smartcard modules#33
py4chen wants to merge 3 commits intotheparanoids:mainfrom
py4chen:tmp/yubikey

Conversation

@py4chen
Copy link
Contributor

@py4chen py4chen commented Dec 29, 2022
edited
Loading

PR adds authentication and csr modules for yubikey based certificates generation.

{
    "keyid_version": 1,
    "sshca_failure_dir": "/dev/shm/sshcafailures/",
    "sshca_failure_timeout": 3600,
    "sshca_failure_retry": 5,
    "handlers":
    {
        "smartcard":
        {
            "authn": [
                {
                    "module": "f9_verify",
                    "f9_certs_dir": "/opt/sshca/RA/f9_certs/"
                },
                {
                    "module": "slot_attest",
                    "slot": "9a",
                    "piv_root_ca": "/opt/sshca/RA/piv_root_ca.pem",
                    "u2f_root_ca": "/opt/sshca/RA/u2f_root_ca.pem",
                },
                {
                    "module": "slot_attest",
                    "slot": "9e",
                    "piv_root_ca": "/opt/sshca/RA/piv_root_ca.pem",
                    "u2f_root_ca": "/opt/sshca/RA/u2f_root_ca.pem",
                },
                {
                    "module": "slot_serial",
                    "slot": "9e",
                    "yubikey_mappings": "/opt/sshca/RA/yubikey_mappings",
                },
            ],
            "csr":  [
                {
                    "module": "smartcard_hardkey",
                    "_comment": "touchSSH",
                    "is_firefighter": false,
                    "touch_policy": 3,
                    "principals": "<logname>,<logname>:touch",
                    "slot": "9e",
                    "cert_validity_sec": 86400
                }
            ],
            "key_identifiers": {
                "default": "ssh-user-key-secondary",
                "rsa": "ssh-user-key",
                "ecdsa": "ssh-user-key-secondary"
            }
        }
    },
    "signer":
    {
        "crypki_port": 4443,
        "crypki_endpoints":
        [
            "crypki.tp2.prod.sshca.ouryahoo.com",
            "crypki1.tp2.prod.sshca.ouryahoo.com",
            "crypki2.tp2.prod.sshca.ouryahoo.com",
            "crypki3.tp2.prod.sshca.ouryahoo.com"
        ],
        "ysshura_user": "ysshura",
        "tls_client_key_file": "/opt/sshca/RA/tls_client.key",
        "tls_client_cert_file": "/opt/sshca/RA/tls_client.crt",
        "tls_ca_cert_files":
        [
            "/opt/sshca/RA/tls_ca.pem"
        ],
        "retries": 3
    }
}

--

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@py4chen