Configuring PSMP to work with PKI auth via Yubikey on Mac OSX

Modified on Sun, 9 Aug, 2020 at 10:12 AM

Problem:


There is a requirement to use Yubikey as the certificate store for the PKI authentication via PSMP to remote targets.


Please note: that this will only work on newer versions of of OSX that have an implementation of ykcs11. For older versions this will require an implementation of OpenSC to actually read the info from the yubikey.

More info can be found here: https://github.com/OpenSC/OpenSC


This is also takes into account that PKI authentication is already enabled in the environment as per CyberArk's documentation:



Solution:


(Steps taken from https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html)

Download and install the yubico-piv-tool from here:

And follow the steps below:

  1. Generate the key
    yubico-piv-tool -s 9a -a import-key -i key.pem
  2. Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.
    yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=My Name/O=SSH/" -i public.pem -o cert.pem


  3. Load the certificate
    yubico-piv-tool -a import-certificate -s 9a -i cert.pem
  4. Find out where ykcs11 has been installed. On MacOS, it is in /usr/local/lib/libykcs11.dylib.
  5. Export the public key in correct format for SSH and then add it to authorized_keys on the target system
    ssh-keygen -D /usr/local/lib/libykcs11.dylib -e

    Note: This command will export all keys stored on the YubiKey. The slot order should remain the same, thereby facilitating identification of the public key associated with your targeted private key.

  6. Use one of the documented methods to configure the SSH key for the user:
    https://bulwarx.freshdesk.com/support/solutions/articles/17000107435-how-to-manage-ssh-keys-for-cyberark-vault-users
  7. Connect via PSMP and Yubikey to the target system
    ssh -v -I /usr/local/lib/libykcs11.dylib USERNAME@TARGET_USER@TARGET_ADDRESS@PSMP_ADDRESS

    -v Means verbose logging to display extra info.
    -i will use the card reader driver (Yubikey) to find keys

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article