cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Feature: support using YubiKey PIV for storing keys

Open hazcod opened this issue 4 years ago • 7 comments

What would you like to be added

I would love to have some kind of hardware binding to secure the credentials being used by smallstep CLI. e.g. for the SSH certificate signing, it would be great if we could re-use the SSH credentials on the YubiKey instead of generating one on the filesystem where they can be stolen by a malicious actor. http://github.com/go-piv/piv-go is a great project to easily setup and access YubiKey PIV keys. I've posted a YubiKey example here: https://gist.github.com/hazcod/59af44bc4ad88b43e035ba54ed010c81

Why this is needed

Further secure the credentials being generated by step with a hardware binding.

hazcod avatar Aug 03 '21 07:08 hazcod

Hi @hazcod, this feature is in our roadmap, and the code blocks are already in place, step-ca has an interface named kms.KeyManager that's implemented with support for Yubikey, PKCS#11 and some popular cloud key managers like AWS's KMS, Google's Cloud KMS.

That interface has methods to create keys in yubikey, as well as read the public key and do sign operations.

maraino avatar Aug 04 '21 17:08 maraino

@maraino FYI I meant the smallstep CLI, not the step-ca. (not storing the temporary tokens on-disk)

hazcod avatar Sep 29 '21 14:09 hazcod

@hazcod I meant that we will use the interface that we have in step-ca in the step cli.

maraino avatar Sep 29 '21 17:09 maraino

@maraino so the certificate would need to be provided to the pkcs11 provider before being loaded by the ssh-agent. And this is why it needs to rely on the KeyManager here. Am I reading this correctly?

baloo avatar Nov 03 '21 22:11 baloo

I also need this functionality, I want to use this command: step certificate create --profile root-ca --template root.tpl \ "My Root CA" root_ca.crt "pkcs11:mytoken"

I would expect this to work, instead of specifying files each time for key, I should be able to specify a pkcs11 url instead.

hongkongkiwi avatar Nov 15 '21 16:11 hongkongkiwi

@baloo, @hongkongkiwi we will add support for step certificate create, step certificate sign, and step ca init at some point, but this is not a priority for us right now, and is not a simple task. We will also add support for other commands, but the ones above will come first.

We have provided little programs that you can modify to get this working, the specific one for YubiKey is here. Modifying it to add custom attributes in the subject or even custom extensions should not be that hard.

Unfortunately, that script one does not have support for SSH, but that part is not difficult to do, as we now support the required key management slots too. I will accept a PR that modifies that script with an --ssh flag to enable the creation of a key to sign host certificates and another to sign user certificates, as well as --ssh-host-slot and --ssh-user-slot to define the slots were we want to add the keys. You can look at step-pcks11-init that shows you how to create a key using the key manager for ssh.

I'll try to add SSH support for that script soon if we don't get a PR first.

And for SSH, once you have an SSH-CA configured, you can sign keys that require a YubiKey too:

$ ssh-keygen -t ecdsa-sk -f ecdsa-sk
$ step ssh certificate mariano ecdsa-sk.pub

To use that certificate with ssh you will need to have your key connected and tap it.

maraino avatar Nov 15 '21 19:11 maraino

Thanks for the detailed explanation. As my usage is a bit more generic than Yubikey, I created a separate issue here #583 to keep it simple.

hongkongkiwi avatar Nov 16 '21 17:11 hongkongkiwi