Pinned Loading

1. Setting up yubikey/solo2 for piv, fi... Setting up yubikey/solo2 for piv, fido, and gpg on FreeBSD (Firefox, Chromium, PAM, SSH, and GnuPG)

   1

   # Overview

   2

   How to configure FreeBSD and applicable applications to work with Yubikey for authentication.  This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.  

   3

   - [x] FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via `libykcs11.so`)

   4

   - [X] FreeBSD ssh with fido support on Yubikey

   5

   - [x] FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey

2. Setting up Yubikey/Solokey(v2)/Windo... Setting up Yubikey/Solokey(v2)/Windows Hello for OpenSSH via PIV or FIDO authentication on Windows

   1

   # Overview

   2

   This guide covers using both **PIV** smartcard and **FIDO2** features of your Yubikey, SoloKey(v2), and Windows Hello for SSH authentication in a secure and portable manner.  FIDO2 support works with YubiKey, SoloKey(v2), and Windows Hello(biometric:face, biometric:fingerprint, secure-element/pin) with OpenSSH as a relatively new feature which requires updated client and server versions.  PIV support has been around with PKCS#11 for many years in the OpenSSH codebase, and is considered a more stable and ubiquitous solution when an applicable PKCS#11 library is available for your platform.

   3

   4

   ## Windows Yubikey for ssh via PIV

   5

   Example below assumes that you have a piv key already generated in a yubikey slot the way you want. If you need to generate a new one, read the excellent documentation here:  https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client

3. PivKey_Taglio_Self-Signed_PIV_Setup PivKey_Taglio_Self-Signed_PIV_Setup

   1

   # Use a Taglio PivKey smartcard with a self-signed certificate

   2

   The default instructions on the PivKey documentation site:  https://pivkey.zendesk.com/hc/en-us do not provide any examples for configuring a self-signed certificate in any of the 25 slots. These instructions were tested with the `PivKey C910` version, but likely most Taglio variants will work the same way.

   3

   4

   ### Powershell `New-SelfSignedCertificate`

   5

   There is support in powershell 5.1+ on currently supported Windows OS (Server 2012+/Windows 10+) configurations for generating self-signed certificates with a wide variety of configuration parameters, including support for the `Microsoft Smart Card Key Storage Provider` to generate keys on a smartcard.

4. start-qemu-freebsd start-qemu-freebsd Public

   Example script to make it easy to spin up an alternate architecture qemu VM (FreeBSD host + FreeBSD guest) for testing.

   Shell

5. Powershell $profile helper examples Powershell $profile helper examples

   1

   # Place this file in our $profile location and restart powershell.

   2

   #  e.g.:   copy Downloads\example.ps1 $profile

   3

   #     $profile defaults to $HOME\Documents\PowerShell\Microsoft.PowerShell_profile.ps1

   4

   #     aka: c:\Users\username\Documents\PowerShell\Microsoft.PowerShell_profile.ps1

   5

   # If you want to sign it see function `user-sign-psscript` below for signing