SSH with Yubikey NEO · Ryan A. Chapman

YubiKey NEO, openssh 6.9, Mac OS X 10.11.5

Using a YubiKey NEO to store your ssh private key

Install opensc using brew or downloading a .dmg file from GitHub at https://github.com/OpenSC/OpenSC/releases Find where the opensc-pkcs11 library is located. Linux tends to name the file opensc-pkcs11.so. Mac installs using brew also name the library file opensc-pkcs11.so. Another possibility on Mac is opensc-pkcs11.dylib.

$ find /Library /usr/local/Cellar /lib /lib64 /usr/lib /usr/lib64 -name opensc-pkcs11.dylib -o -name opensc-pkcs11.so 2>/dev/null

So that ssh knows to use the YubiKey NEO for authentication, add the following to the top of your ~/.ssh/config file:

PKCS11Provider /usr/local/Cellar/opensc/0.15.0/lib/opensc-pkcs11.so

If you generated the keypair on card rather than importing it, you'll need to get the public key off the YubiKey NEO so that you can copy it to remote ssh servers in your ~/.ssh/authorized_keys file:

$ printf "$(ssh-keygen -D /usr/local/Cellar/opensc/0.15.0/lib/opensc-pkcs11.so 2>/dev/null) $USER-yubikey-1\n"

When attempting to ssh to a machine with your YubiKey public key in the authorized_keys file, you should be prompted to enter your YubiKey PIN, which will cause the YubiKey to sign the nonce (request) and send it back to the ssh server for login:

$ ssh [email protected]
Enter PIN for 'PIV_II (PIV Card Holder pin)':
[email protected]:~$

The order that ssh looks for keys to use when logging into remote servers is:
1. public key authentication: PKCS11Providers (for example, YubiKey NEO)
2. public key authentication: ~/.ssh/id_dsa
3. public key authentication: ~/.ssh/id_ecdsa
4. public key authentication: ~/.ssh/id_rsa
5. password authentication

Making Multiple SSH Connections Without Having to Retype PIN Each Time

Under normal circumstances, when you log into a remote server, the ssh daemon on the server generates a random nonce and sends that to the ssh client to be signed with the private key and the result transmitted back. The ssh daemon then checks each public key in ~/.ssh/authorized_keys to see if any match. If they do, you are allowed to log in. If your private key is stored on disk (in ~/.ssh), then you never realize that a nonce is being signed and sent back to the ssh daemon. By design, the YubiKey will require you to enter your PIN each time it signs a nonce. This can become a nuisance when you need to log into the same server many many times (for example when using an automated script). ssh has a feature called multiplexing which comes in handy when using a YubiKey for ssh authentication. Once you have signed into a server via ssh, multiplexing will let your subsequent logins to the same machine succeed without having to re-enter the PIN.

To enable multiplexing, add this to your ~/.ssh/config file:

Host *
  ControlPath ~/.ssh/conns/%r@%h:%p
  ControlMaster auto
  ControlPersist 1

You'll need to create the directory multiplexing will use:

$ mkdir -p ~/.ssh/conns/