Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Configuring PSMP to work with PKI auth via Yubikey on Mac OSX

            Modified on Sun, 09 Aug 2020 at 10:12 AM

            Problem:


            There is a requirement to use Yubikey as the certificate store for the PKI authentication via PSMP to remote targets.


            Please note: that this will only work on newer versions of of OSX that have an implementation of ykcs11. For older versions this will require an implementation of OpenSC to actually read the info from the yubikey.

            More info can be found here: https://github.com/OpenSC/OpenSC


            This is also takes into account that PKI authentication is already enabled in the environment as per CyberArk's documentation:



            Solution:


            (Steps taken from https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html)

            Download and install the yubico-piv-tool from here:

            And follow the steps below:

            1. Generate the key
              yubico-piv-tool -s 9a -a import-key -i key.pem
            2. Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.
              yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=My Name/O=SSH/" -i public.pem -o cert.pem


            3. Load the certificate
              yubico-piv-tool -a import-certificate -s 9a -i cert.pem
            4. Find out where ykcs11 has been installed. On MacOS, it is in /usr/local/lib/libykcs11.dylib.
            5. Export the public key in correct format for SSH and then add it to authorized_keys on the target system
              ssh-keygen -D /usr/local/lib/libykcs11.dylib -e

              Note: This command will export all keys stored on the YubiKey. The slot order should remain the same, thereby facilitating identification of the public key associated with your targeted private key.

            6. Use one of the documented methods to configure the SSH key for the user:
              https://bulwarx.freshdesk.com/support/solutions/articles/17000107435-how-to-manage-ssh-keys-for-cyberark-vault-users
            7. Connect via PSMP and Yubikey to the target system
              ssh -v -I /usr/local/lib/libykcs11.dylib USERNAME@TARGET_USER@TARGET_ADDRESS@PSMP_ADDRESS

              -v Means verbose logging to display extra info.
              -i will use the card reader driver (Yubikey) to find keys

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0