Because of the Infineon Disaster of 2017 lots of TPM and Yubikey keys have to be regenerated.
I have previously blogged about how to create these keys inside the yubikey, so here’s just the short version of how to redo it by generating the key in software and importing it into the yubikey.
When it appears to stall, that’s when it’s waiting for a touch.
openssl genrsa -out key.pem 2048 openssl rsa -in key.pem -outform PEM -pubout -out public.pem yubico-piv-tool -s 9a -a import-key --touch-policy=always -i key.pem yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S '/CN=my SSH key/' -i public.pem -o cert.pem yubico-piv-tool -a import-certificate -s 9a -i cert.pem rm key.pem public.pem cert.pem ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e
Delete all mentions of previous key. It’s good to have a disaster plan ahead of time if keys need to be replaced, but if you don’t have one:
- Inventory all bad keys. Make sure you have their fingerprints.
- Inventory all places this key could be installed.
- Generate new keys.
- Distribute new keys. (in this case, add to all relevant
- Remove all old keys.
- Grep for the keys found in step 1.
- Try to log in with old key.
You could do 4 and 5 in one go, replacing key XXXXX with YYYYY (pick something large enough from the key to be unique) with something like:
OLD=XXXXXX NEW=YYYYYY NEW_URL=https://www.example.com/ssh-key.pub for host in $(cat hosts); do echo ------------- echo $host ssh $host " set -e cd .ssh (grep -q $OLD authorized_keys && echo FIXING: old key there || echo OK: old key not there) sed -i '/$OLD/d' authorized_keys (grep -q $NEW authorized_keys && echo OK: new key already there || curl -s $NEW_URL >> authorized_keys) " || echo FAILED: could not log in done
Be prepared to touch the yubikey a lot.