# PIV-PKCS ## ❊ Creating PIV Keys & Certificate For this tutorial; we're going to create a PIV certificate/keys and import them into slot **`9A`** of your Yubikey. Before continuing, you need to follow the instructions provided in the [**PIV Slot 9A guide**](/yubikey5/piv-1/slots/9a/openssl.md) and generate the certs and keys you will use for connecting. Once you have finished, return to this guide and proceed to the next step. ## ❊ PuTTY-CAC To authenticate with your SSH server using your PIV certificate; you must use the application PuTTY-CAC. This program is different from PuTTY; and provides you with extra features you will need in order to do this. [**You can download PuTTY-CAC here**](https://github.com/NoMoreFood/putty-cac/releases/). Once PuTTY-CAC is installed and launched, you can fill out the information for the server you wish to connect to:
This includes your hostname and port. You can then enter a name under **Saved Sessions** and then click **Save**. This will store your server in your favorites so that you can access it more quickly later. If you make changes to the configuration, remember to click **Save**. Next, navigate to **Connection** -> **SSH** -> **Certificate**:
There are several options that you can select from, minaly Set **`CAPI`** and Set **`PKCS`**. For this tutorial; we're going to select **`PKCS`**. If you use to utilize the CAPI protocol, [**you can follow that guide here.**](/yubikey5/tutorials/ssh-+-putty-cac/piv-capi.md) Next, select ![](/files/IEQ593VIpQZQ1Nr8X2mv), which should make a dialog box appear.
The dialog above is asking you to select the PKCS module file that will be used to load your Yubikey's PIV certificates. You should navigate and select the file: **`C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll`** If you do not have the above folders, you will need to download the Yubikey Manager, and the Yubikey PIV Tool from their official website. Once you select the correct .DLL file, another dialog should appear and list the PIV certificates available from your Yubikey:
Select the certificate you created earlier and press **OK**. If you wish to save this certificate as part of your Favorites, go back and press **Save** again on the Saved Sessions section. ## ❊ Install Public Key The next step to get SSH authentication working, giving your remote server your certificate key. In PuTTY-CAC, navigate to **Connection** -> **SSH** -> **Certificate** Toward the bottom of the list of protocol buttons, you should see a button labeled **`Copy to Clipboard`**.
This should copy your public key to your clipboard which you will need to add to your remote server's **`authorized_keys`** file, usually located in: **`/home/username/.ssh/authorized_keys`** If you're attempting to apply your public key to your root user, you will need to modify: **`/root/.ssh/authorized_keys`** {% hint style="info" %} It is highly recommended that you not utilize your root account. Create a new user to authenticate with, and disable the root account on your server. {% endhint %} Inside the **`authorized_keys`** file, paste the public key that was copied to your clipboard from PuTTY-CAC and then save the file. If you have multiple certificates you wish to use to connect, you can paste each public key on a new line in the authorized\_keys file. Ensure your .ssh folder and authorized\_keys files have the correct permissions.
FilePermission
.ssh/700
.ssh/authorized_keys644
Also check and make sure the folder and files are owned by the user that the account is associated to. Execute **`chown`** if the .ssh folder and files are owned by root and not the account the folders are listed under. Failure to properly set the permissions on these files / folder will result in authentication not working. ## ❊ Connection Once you have added your public key to your server and selected the correct certificate, you can now click the ![](/files/z3tXG2JSONDTIj97TPig) button. PuTTY-CAC will open the SSH terminal and ask you to supply your username:
Once your username is entered, the terminal will show a few lines of text. ``` login as: aetherinox Pre-authentication banner message from server: | --------------------------------------------------------- | Authorized Access Only | --------------------------------------------------------- End of banner message from server Authenticating with public key "PKCS:4195a02b5e969e11e2ab8eac536f24aac589 ``` And a PIN dialog will appear which asks you to enter your Yubikey PIV PIN:
Once your PIN is entered, take a quick look at the circle in the middle of your Yubikey. If you imported your PIV certificate with a specified TOUCH POLICY; your Yubikey will ask you to press the button in the middle before authentication is completed. If you do not press the button within 30 seconds, the connection will be terminated. The terminal will then print a few more lines once you've connected and you'll be ready to go: ``` Welcome to Zorin OS 16.2 (GNU/Linux 5.15.0-58-generic x86_64) Last login: Sun Feb 12 18:06:39 2023 username@home:~$ ``` ## ❊ Passwordless Authentication Once you have successfully connected to your SSH server with your Yubikey, you may want to disable the ability to sign into your user with a password. This ensures only authentication with the Yubikey is allowed. To do this, locate and open your sshd\_config file, usually located in: **`/etc/ssh/sshd_config`** Once the file is open, find the line which includes: ```bash PasswordAuthentication yes ``` Modify the line's value to disable password authentication: ```bash # To disable tunneled clear text passwords, change to no here! # Disable password authentication by default (except for LAN IP ranges listed later) PasswordAuthentication no ``` Once the change has been made, you will need to restart SSH on your server with any of the following commands: ```bash /etc/init.d/sshd restart service sshd restart sudo systemctl restart sshd service ssh restart ``` The command syntax depends on which distro of Linux you are running. This completes this section of the guide. If you wish to utilize the CAPI protocol for connecting, you may view the [**PIV-CAPI SSH Guide here**](/yubikey5/tutorials/ssh-+-putty-cac/piv-capi.md). ## ❊ Notes One of the biggest pains of getting SSH + PuTTY-CAC to connect successfully with a Yubikey is the poorly worded dialog box, and using the incorrect module. When prompted to enter your "password", it wants you to enter your Yubikey PIV PIN, not your PIV certificate passphrase / password. The CAPI method is much more clear and uses the proper PIN dialog box, whereas PKCS doesn't.
The second issue is using the correct .dll module. You should **NOT** be using the OpenSC .dll located in **`C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll`**, but instead, point the browse dialog to where you have **`libykcs11.dll`** on your computer. This is typically in the folder: **`C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll`** These steps should ensure that you successfully connect to your server via SSH. Personally, I'm more of a fan of CAPI, but whichever you prefer. {% hint style="warning" %} Because PuTTY-CAC uses OpenSC as the bridge between PuTTY and your server, you cannot run multiple programs that rely on OpenSC at the same time; otherwise you will get errors, or cannot see your PIV certificates. \ Such an example would be running PuTTY and Filezila at the same time, and having both connections authenticate using your Yubikey. {% endhint %} ### Common Errors / Issues ### **Interface Freezing When selecting**** ****`Set PKCS Cert`**
If PuTTY becomes unresponsive when you click the **`Set PKCS Cert`** button, this is usually because you clicked the button too quick after inserting your Yubikey. Once you insert the Yubikey, wait about 10-15 seconds before clicking. PuTTY doesn't like when you try to speed-run the program. ### **Error: No supported authentication methods available.**
This error appears when your attempt to authenticate using your Yubikey has failed, and your SSH server has no other way to connect. The most common reason is if you edit your sshd\_config file and disable password authorization. ```bash # To disable tunneled clear text passwords, change to no here! # Disable password authentication by default (except for LAN IP ranges listed later) PasswordAuthentication no ``` To correct this issue, follow through the guide steps again, and make sure you're using your Yubikey PIV PIN to authenticate, and **not** a certificate password. If you continue to get the error and have no idea why it's appearing, you can re-enable **`PasswordAuthentication`**. ```bash PasswordAuthentication yes ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yubico.gitbook.io/yubikey5/tutorials/ssh-+-putty-cac/piv-pkcs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.