mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-11-26 01:08:13 +00:00
Increment debian image version
This commit is contained in:
parent
db3cb63484
commit
a6bc874713
45
README.md
45
README.md
@ -20,8 +20,6 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
|
|||||||
- [Verify keys](#verify-keys)
|
- [Verify keys](#verify-keys)
|
||||||
- [Export keys](#export-keys)
|
- [Export keys](#export-keys)
|
||||||
- [Backup keys](#backup-keys)
|
- [Backup keys](#backup-keys)
|
||||||
* [Linux](#linux)
|
|
||||||
* [OpenBSD](#openbsd)
|
|
||||||
- [Configure YubiKey](#configure-yubikey)
|
- [Configure YubiKey](#configure-yubikey)
|
||||||
- [Configure Smartcard](#configure-smartcard)
|
- [Configure Smartcard](#configure-smartcard)
|
||||||
* [Change PIN](#change-pin)
|
* [Change PIN](#change-pin)
|
||||||
@ -81,7 +79,7 @@ It is recommended to generate cryptographic keys and configure YubiKey from a se
|
|||||||
Download the latest image and verify its integrity:
|
Download the latest image and verify its integrity:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-9.8.0-amd64-xfce.iso
|
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-9.9.0-amd64-xfce.iso
|
||||||
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
|
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
|
||||||
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign
|
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign
|
||||||
|
|
||||||
@ -90,17 +88,17 @@ $ gpg --verify SHA512SUMS.sign SHA512SUMS
|
|||||||
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
|
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
$ grep $(sha512sum debian-live-9.8.0-amd64-xfce.iso) SHA512SUMS
|
$ grep $(sha512sum debian-live-9.9.0-amd64-xfce.iso) SHA512SUMS
|
||||||
SHA512SUMS:befdf12c58aee561ba9705ea1aba796a6a2fbfc816b8178dd54e3646a76c459137e20b420f391231b64666fa300e2b76c73e138590fb6ff83f5b9a16ea4debf1 debian-live-9.8.0-amd64-xfce.iso
|
SHA512SUMS:ae064cc399126214e4aa165fdbf9659047dd2af2d3b0ca57dd5f2686d1d3730019cfe3c56ac48db2af56eb856dbca75e642fadf56bc04c538b44d3d3a2982283 debian-live-9.9.0-amd64-xfce.iso
|
||||||
```
|
```
|
||||||
|
|
||||||
Mount a USB disk and copy the image over to it:
|
Mount a USB disk and copy the image over to it:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo dd if=debian-live-9.8.0-amd64-xfce.iso of=/dev/sdc bs=4M && sync
|
$ sudo dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/sdc bs=4M && sync
|
||||||
```
|
```
|
||||||
|
|
||||||
Shut down the computer and disconnect any hard drives and unnecessary peripherals.
|
Shut down the computer and disconnect any hard drives and unnecessary peripheral devices.
|
||||||
|
|
||||||
Plug in the USB disk and boot to the live image. Configure networking to continue. If the screen locks, unlock with user/live.
|
Plug in the USB disk and boot to the live image. Configure networking to continue. If the screen locks, unlock with user/live.
|
||||||
|
|
||||||
@ -111,9 +109,7 @@ Install several packages required for the following steps:
|
|||||||
**Debian/Ubuntu**
|
**Debian/Ubuntu**
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo apt-get update
|
$ sudo apt-get update && sudo apt-get install -y \
|
||||||
|
|
||||||
$ sudo apt-get install -y \
|
|
||||||
curl gnupg2 gnupg-agent \
|
curl gnupg2 gnupg-agent \
|
||||||
cryptsetup scdaemon pcscd \
|
cryptsetup scdaemon pcscd \
|
||||||
yubikey-personalization \
|
yubikey-personalization \
|
||||||
@ -145,7 +141,7 @@ $ doas pkg_add gnupg pcsc-tools
|
|||||||
Download and install [Homebrew](https://brew.sh/) and the following Brew packages:
|
Download and install [Homebrew](https://brew.sh/) and the following Brew packages:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac
|
$ brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac
|
||||||
```
|
```
|
||||||
|
|
||||||
**Windows**
|
**Windows**
|
||||||
@ -212,7 +208,7 @@ Create a hardened configuration for GPG with the following options or by downloa
|
|||||||
```console
|
```console
|
||||||
$ curl -o $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
$ curl -o $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
||||||
|
|
||||||
$ cat $GNUPGHOME/gpg.conf
|
$ grep -ve "^#" $GNUPGHOME/gpg.conf
|
||||||
personal-cipher-preferences AES256 AES192 AES
|
personal-cipher-preferences AES256 AES192 AES
|
||||||
personal-digest-preferences SHA512 SHA384 SHA256
|
personal-digest-preferences SHA512 SHA384 SHA256
|
||||||
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
|
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
|
||||||
@ -601,7 +597,7 @@ Make sure you have made an **encrypted** backup before proceeding. An encrypted
|
|||||||
|
|
||||||
Also consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
|
Also consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
|
||||||
|
|
||||||
## Linux
|
**Linux**
|
||||||
|
|
||||||
Attach a USB disk and check its label:
|
Attach a USB disk and check its label:
|
||||||
|
|
||||||
@ -720,7 +716,7 @@ $ sudo umount /mnt
|
|||||||
$ sudo cryptsetup luksClose usb
|
$ sudo cryptsetup luksClose usb
|
||||||
```
|
```
|
||||||
|
|
||||||
## OpenBSD
|
**OpenBSD**
|
||||||
|
|
||||||
Attach a USB disk and determine its label:
|
Attach a USB disk and determine its label:
|
||||||
|
|
||||||
@ -1108,9 +1104,7 @@ You can reboot back into the Live image to test YubiKey.
|
|||||||
Install required programs:
|
Install required programs:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo apt-get update
|
$ sudo apt-get update && sudo apt-get install -y \
|
||||||
|
|
||||||
$ sudo apt-get install -y \
|
|
||||||
curl gnupg2 gnupg-agent \
|
curl gnupg2 gnupg-agent \
|
||||||
cryptsetup scdaemon pcscd
|
cryptsetup scdaemon pcscd
|
||||||
```
|
```
|
||||||
@ -1546,7 +1540,7 @@ This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
|
|||||||
$ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
|
$ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
|
||||||
```
|
```
|
||||||
|
|
||||||
* Finally, to enable agent forwarding for a given machine, add the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
|
* Finally, enable agent forwarding for a given machine by adding the following to the local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
|
||||||
|
|
||||||
```
|
```
|
||||||
Host
|
Host
|
||||||
@ -1582,7 +1576,9 @@ Now, to sign commits or tags simply use the `-S` option. GPG will automatically
|
|||||||
|
|
||||||
To authenticate:
|
To authenticate:
|
||||||
|
|
||||||
**Windows** Run the following command:
|
**Windows**
|
||||||
|
|
||||||
|
Run the following command:
|
||||||
|
|
||||||
> git config --global core.sshcommand 'plink -agent'
|
> git config --global core.sshcommand 'plink -agent'
|
||||||
|
|
||||||
@ -1592,7 +1588,15 @@ You can then change the repository url to `git@github.com:USERNAME/repository` a
|
|||||||
|
|
||||||
## OpenBSD
|
## OpenBSD
|
||||||
|
|
||||||
`doas pkg_add pcsc-tools` and enable with `doas rcctl enable pcscd`, then reboot in order to recognize YubiKey.
|
Install and enable tools for use with PC/SC drivers, cards, readers, then reboot to recognize YubiKey:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas pkg_add pcsc-tools
|
||||||
|
|
||||||
|
$ doas rcctl enable pcscd
|
||||||
|
|
||||||
|
$ doas reboot
|
||||||
|
```
|
||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
@ -1723,6 +1727,7 @@ And reload the SSH daemon (e.g., `sudo service sshd reload`).
|
|||||||
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
||||||
* https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
|
* https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
|
||||||
* https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
|
* https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
|
||||||
|
* https://blog.onefellow.com/post/180065697833/yubikey-forwarding-ssh-keys
|
||||||
* https://developers.yubico.com/PGP/Card_edit.html
|
* https://developers.yubico.com/PGP/Card_edit.html
|
||||||
* https://developers.yubico.com/PIV/Introduction/Admin_access.html
|
* https://developers.yubico.com/PIV/Introduction/Admin_access.html
|
||||||
* https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
|
* https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
|
||||||
|
Loading…
Reference in New Issue
Block a user