baughj · March 16, 2021 17:41
diff --git a/provision-yubikey.sh b/provision-yubikey.sh
 #!/bin/bash

 set -e

 if [ $# -ne 3 ]
 then
    echo "Usage:   $0 <OSX username> <ssh principals> <expiration>"
    echo "Example: $0 baughj justin.baugh,baughj 1825"
    echo ""
    echo "Warning: It's a good idea to have at least two yubikeys for token auth,"
    echo "         and they should NOT have the same cert expiration dates."
    exit
 fi

 if [ -z $(which ykman) ]; then
    echo "You need to install ykman. On OSX: brew install ykman"
    exit
 fi

 CERT_SUBJECT="C=US,O=ERISCO\, LLC,OU=PIV Certificates"

 read -p "Connect USB Armory, and when double blinking, hit enter to continue"

 YUBISERIAL=$(ykman info | grep Serial | awk '{ print $3 }')

 if [ -z ${YUBISERIAL} ]; then
    echo "Is yubikey connected? Couldn't get its serial number"
 fi

 # Get our USB armory functions
 source ~/.includes/citadel.bash

 citadel_unlock

 # Make filenames easier

 NINEA="${1}-${YUBISERIAL}-9A"
 NINEC="${1}-${YUBISERIAL}-9C"
 NINED="${1}-${YUBISERIAL}-9D"
 SSH_CERT_SERIAL="$(date +%Y%m%d)${YUBISERIAL}"

 # Generate two RSA certificates in 9a/9d for standard auth
 echo "Generating 9a (authentication) key. You'll be prompted for PIN."
 ykman piv keys generate --pin-policy default --touch-policy default 9a - > ${NINEA}Pubkey.pem

 echo "Generating 9d (key management) key. You'll be prompted for PIN."
 ykman piv keys generate --pin-policy default --touch-policy default 9d - > ${NINED}Pubkey.pem

 # Generate ECDSA key in slot 9c which will be used for ssh
 echo "Generating 9c (digital signature / ssh) key. You'll be prompted for PIN."
 ykman piv keys generate -a eccp384 --pin-policy once --touch-policy cached 9c - >${NINEC}Pubkey.pem

 # Generate CSRs for 9a/9d (we don't need X509 for ssh or for use with yubikey-agent)

 NINEA_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9a,CN=${1}"
 NINEC_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9c,CN=${1}"

 echo "Generating 9a CSR: ${NINEA_SUBJ}"
 ykman piv certificates request \
      -s "${NINEA_SUBJ}" 9a ${NINEA}Pubkey.pem ${NINEA}Req.pem

 echo "Generating 9c CSR: ${NINEC_SUBJ}"
 ykman piv certificates request \
      -s "${NINEC_SUBJ}" 9d ${NINED}Pubkey.pem ${NINED}Req.pem

 # Get certificates signed (alternatively, don't be like me and use a
 # self sign here)

 citadel_sign ERISCOPIVCA ${NINEA} ${3} client
 citadel_sign ERISCOPIVCA ${NINED} ${3} client

 echo "Importing signed 9a certificate."
 ykman piv certificates import 9a ${NINEA}Cert.pem

 echo "Importing signed 9d certificate."
 ykman piv certificates import 9d ${NINED}Cert.pem

 # Get SSH pubkey from the yubikey that will be signed
 ssh-keygen -D /usr/local/lib/libykcs11.dylib | grep ecdsa | awk '{print $1 " " $2}' > ${NINEC}.pub

 if [ "$?" != 0 ]; then
    echo "Error: couldn't retrieve ecdsa key from yubikey...?"
    exit
 fi

 # TODO: make this part of citadel scripting

 scp ${NINEC}.pub baughj@citadel:/srv/SSHCA/reqs/
 ssh -t baughj@citadel "ssh-keygen -s user_ssh_ca -I $1 -n $2 -V +52w -z ${SSH_CERT_SERIAL} reqs/${NINEC}.pub && mv reqs/${NINEC}-cert.pub issued"
 scp baughj@citadel:/srv/SSHCA/issued/${NINEC}-cert.pub .

 echo "Done!"
 echo "Note: place the resulting signed SSH pubkey in your .ssh directory exactly as id_ecdsa-cert.pub - or use CertificateFile in config"
 echo "Don't forget to lock the armory and remove it."
 echo ""
 echo "To complete pairing with OSX for token auth, remove and reinsert the Yubikey."
	#!/bin/bash

	set -e

	if [ $# -ne 3 ]
	then
	echo "Usage: $0 <OSX username> <ssh principals> <expiration>"
	echo "Example: $0 baughj justin.baugh,baughj 1825"
	echo ""
	echo "Warning: It's a good idea to have at least two yubikeys for token auth,"
	echo " and they should NOT have the same cert expiration dates."
	exit
	fi

	if [ -z $(which ykman) ]; then
	echo "You need to install ykman. On OSX: brew install ykman"
	exit
	fi

	CERT_SUBJECT="C=US,O=ERISCO\, LLC,OU=PIV Certificates"

	read -p "Connect USB Armory, and when double blinking, hit enter to continue"

	YUBISERIAL=$(ykman info \| grep Serial \| awk '{ print $3 }')

	if [ -z ${YUBISERIAL} ]; then
	echo "Is yubikey connected? Couldn't get its serial number"
	fi

	# Get our USB armory functions
	source ~/.includes/citadel.bash

	citadel_unlock

	# Make filenames easier

	NINEA="${1}-${YUBISERIAL}-9A"
	NINEC="${1}-${YUBISERIAL}-9C"
	NINED="${1}-${YUBISERIAL}-9D"
	SSH_CERT_SERIAL="$(date +%Y%m%d)${YUBISERIAL}"

	# Generate two RSA certificates in 9a/9d for standard auth
	echo "Generating 9a (authentication) key. You'll be prompted for PIN."
	ykman piv keys generate --pin-policy default --touch-policy default 9a - > ${NINEA}Pubkey.pem

	echo "Generating 9d (key management) key. You'll be prompted for PIN."
	ykman piv keys generate --pin-policy default --touch-policy default 9d - > ${NINED}Pubkey.pem

	# Generate ECDSA key in slot 9c which will be used for ssh
	echo "Generating 9c (digital signature / ssh) key. You'll be prompted for PIN."
	ykman piv keys generate -a eccp384 --pin-policy once --touch-policy cached 9c - >${NINEC}Pubkey.pem

	# Generate CSRs for 9a/9d (we don't need X509 for ssh or for use with yubikey-agent)

	NINEA_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9a,CN=${1}"
	NINEC_SUBJ="${CERT_SUBJECT},OU=${YUBISERIAL}-9c,CN=${1}"

	echo "Generating 9a CSR: ${NINEA_SUBJ}"
	ykman piv certificates request \
	-s "${NINEA_SUBJ}" 9a ${NINEA}Pubkey.pem ${NINEA}Req.pem

	echo "Generating 9c CSR: ${NINEC_SUBJ}"
	ykman piv certificates request \
	-s "${NINEC_SUBJ}" 9d ${NINED}Pubkey.pem ${NINED}Req.pem

	# Get certificates signed (alternatively, don't be like me and use a
	# self sign here)

	citadel_sign ERISCOPIVCA ${NINEA} ${3} client
	citadel_sign ERISCOPIVCA ${NINED} ${3} client

	echo "Importing signed 9a certificate."
	ykman piv certificates import 9a ${NINEA}Cert.pem

	echo "Importing signed 9d certificate."
	ykman piv certificates import 9d ${NINED}Cert.pem

	# Get SSH pubkey from the yubikey that will be signed
	ssh-keygen -D /usr/local/lib/libykcs11.dylib \| grep ecdsa \| awk '{print $1 " " $2}' > ${NINEC}.pub

	if [ "$?" != 0 ]; then
	echo "Error: couldn't retrieve ecdsa key from yubikey...?"
	exit
	fi

	# TODO: make this part of citadel scripting

	scp ${NINEC}.pub baughj@citadel:/srv/SSHCA/reqs/
	ssh -t baughj@citadel "ssh-keygen -s user_ssh_ca -I $1 -n $2 -V +52w -z ${SSH_CERT_SERIAL} reqs/${NINEC}.pub && mv reqs/${NINEC}-cert.pub issued"
	scp baughj@citadel:/srv/SSHCA/issued/${NINEC}-cert.pub .

	echo "Done!"
	echo "Note: place the resulting signed SSH pubkey in your .ssh directory exactly as id_ecdsa-cert.pub - or use CertificateFile in config"
	echo "Don't forget to lock the armory and remove it."
	echo ""
	echo "To complete pairing with OSX for token auth, remove and reinsert the Yubikey."