Configuring PSMP to work with PKI auth via Yubikey on Windows

Modified on Sun, 9 Aug, 2020 at 10:28 AM

Problem:


There is a requirement to use Yubikey as the certificate store for the PKI authentication via PSMP to remote targets.


This is also takes into account that PKI authentication is already enabled in the environment as per CyberArk's documentation:



Solution:


(Steps taken from https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html)

Download and install the yubico-piv-tool from here:

And follow the steps below:

  1. Generate the key
    yubico-piv-tool -s 9a -a import-key -i key.pem
  2. Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.
    yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=My Name/O=SSH/" -i public.pem -o cert.pem


  3. Load the certificate
    yubico-piv-tool -a import-certificate -s 9a -i cert.pem
  4. Use one of the documented methods to configure the SSH key for the user:
    https://bulwarx.freshdesk.com/support/solutions/articles/17000107435-how-to-manage-ssh-keys-for-cyberark-vault-users
  5. Run Putty-CAC, go to the Connection > SSH > Certificate and press Set CAPI Cert button. In pop-up window select certificate, which is stored in smart-card, and press OK.
  6. Use the regular PSMP command to connect to the target system, but this time note that instead of a username or password, the Yubikey PIN is prompted.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article