This page describes how to use a Yubikey 4 or Yubikey Nano on EL7.3 (or later) for CVMFS whitelist signing. The Yubikeys have a PIV applet installed by default that can be used to store secrets in a secure manner.

The purpose of using a device like this is that even if someone breaks into the server doing the signing, they will not be able to read the masterkey from the device. When the breakin is discovered, the server can be wiped and reinstalled, but a new public key for the CVMFS domain will not need to be distributed everywhere, it can safely be reused because the key will not have been compromised without physical access to the device. For emergency backup purposes (in case of device failure or destruction) it would be good to store the masterkey also on a flash drive or two kept physically secure and never plugged into a computer except to program a Yubikey.

Prerequisites

Make sure the Yubikey is recognized

Use lsusb to make sure the Yubikey is a recognized USB device. If the command is not available, do yum install usbutils

Enable epel

Some of the software needed is in the epel repository. You can add it with this command:

# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Configure the key itself

We have to first make sure that the Yubikey has the CCID capability enabled. Here's the list of supported modes: 0 for HID device only, 1 for CCID device only, 81 for CCID device with touch eject, 2 for HID/CCID composite device, 3 for U2F device only, 4 for OTP/!U2F composite device, 5 for U2F/CCID composite device, 6 for OTP/!U2F/CCID composite device.

Install the software to change the mode with yum install ykpers

  • If you want to be able to use the key for U2F or OTP, you want to set the mode to OTP+!U2F+CCID, run ykpersonalize -m 6
  • For only UTF+CCID, run ykpersonalize -m 5
  • If you don't care about other features of the key, set the mode to CCID only with ykpersonalize -m 1 but be aware that once you do that, at least on a Yubikey 4 the ykpersonalize command will no longer recognize the device to change the mode later. (On the plus side, when running on a VM on a Mac, disabling UTF mode will make the Mac less likely to grab the device, which makes it unavailable to hypervisor software like VirtualBox).
  • Remove and re-insert the key for proper detection, and make sure that lsusb shows it with the selected mode.

Accessing with SmartCard software

Now that the key has been reinserted, we want to check that the OpenSC toolbox can see the emulated SmartCard reader from the Yubikey. Do the following to install and enable the software:

# yum install opensc
# systemctl enable pcscd.socket
# systemctl start pcscd.socket

Next check that the Yubikey SmartCard reader emulation is properly detected by the system:

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 CCID 00 00

If that does not work, make sure you have pcsc-lite-ccid rpm version >= 1.4.10-12.el7, because older versions (seen on a CernVM 4 pre-release) don't recognize a Yubikey 4 in CCID-only mode. However, the source rpm available from Redhat is new enough and does recognize it. To build that, do

# yum install yum-utils rpm-build gcc pcsc-lite-devel libusbx-devel
# yumdownlodaer --source pcsc-lite-ccid
# rpmbuild --rebuild pcsc-lite-ccid-*.src.rpm
# rpm -Uv ~/rpmbuild/RPMS/x86_64/pcsc-lite-ccid-*.el7.x86_64.rpm

Storing a CVMFS masterkey for digital signature

For the examples we will assume a repository test.cern.ch. Instructions to install CVMFS repository publishing software can be found elsewhere.

Install the tool that will be used for uploading the masterkey with yum install yubico-piv-tool

The cvmfs masterkey is not in the X.509 certificate format expected by the yubikey, so generate a fake certificate signing request and send that to slot 9c of the yubikey (which is reserved for digital signature):

# openssl req -new -subj '/O=o/CN=cn' -x509 -days 36500 -key /etc/cvmfs/keys/test.cern.ch.masterkey  | \
  yubico-piv-tool -s 9c -a import-cert
Then also import the key into the device :
# yubico-piv-tool -s 9c  -i /etc/cvmfs/keys/test.cern.ch.masterkey -a import-key

You can read back the certificate (but not the key) with the following command and extract the public key:

# yubico-piv-tool -a read-certificate -s 9c | openssl x509 -pubkey -noout >/tmp/test.cern.ch.pub
# cmp /etc/cvmfs/keys/test.cern.ch.pub /tmp/test.cern.ch.pub

PIN/PUK/Management codes

There are 3 default security codes in the Yubikey 4 and Yubkey Nano. The PIN is required for some commands. The PUK is used to reset the PIN if the PIN is forgotten. The management (MGM) code is used for importing or generating security keys. There's a table of which code is needed for which command in the access control matrix on page 10 of the yubico-piv-tool guide. They're all really designed for a Yubikey that is carried around from place to place, to prevent the security information inside it from being used for anything if the device is stolen. In this application of running CVMFS key signing unattended, with the Yubikey kept in place in a secure server room, there is no reason to change the defaults. The PIN will have to be encoded in a script so it doesn't matter what the value is if someone has broken in. It does an attacker no good to upload a new masterkey or wipe the device; the former they can do with the MGM code but the latter doesn't require any codes. yubico-piv-tool uses the default MGM key when an MGM key is required, unless overridden with the --key option.

Default values are:

  • PIN: 123456
  • PUK: 12345678
  • MGM key: 010203040506070801020304050607080102030405060708

Signing a CVMFS whitelist

Install p11tool with the command yum install gnutls-utils and verify that it can locate a piv_II token with this command:

# p11tool --provider /lib64/opensc-pkcs11.so --list-tokens
The URL that p11tool prints out can be passed as the -inkey to openssl rsautl, but if there is only one token the command will find it with just "-inkey pkcs11:" as used below.

Remove the signature from a .cvmfswhitelist:

# cat -v /srv/cvmfs/test.cern.ch/.cvmfswhitelist | awk '/^--/{exit} {print}' > .cvmfswhitelist.unsigned

Calculate the hash for signing (it is also in original .cvmfswhitelist, but this is to show how in case you change the dates in first two lines):

# alg="`tail -1 .cvmfswhitelist.unsigned|sed -n 's/.*-//p'|tr '[A-Z]' '[a-z]'`"; \
  echo -n `cvmfs_swissknife hash -a ${alg:-sha1} <.cvmfswhitelist.unsigned ` >.cvmfswhitelist.hash

Next, create the signature:

# pkcs11-tool -p 123456 -s -m RSA-PKCS -i .cvmfswhitelist.hash -o .cvmfswhitelist.signature

Verify that you can have recreated the .cvmfswhitelist:

# (cat .cvmfswhitelist.unsigned;echo --;echo `cat .cvmfswhitelist.hash`;cat .cvmfswhitelist.signature) >.cvmfswhitelist.new
# cmp .cvmfswhitelist.new /srv/cvmfs/test.cern.ch/.cvmfswhitelist
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r12 - 2019-07-26 - DaveDykstra
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CvmFS All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback