Crostini on ChromeOS (Debian)

verified on:

$ cat /etc/debian_version 

packages needed:

sudo apt update
sudo apt upgrade -y
sudo apt install -y opensc-pkcs11 opensc gpg-agent scdaemon yubikey-manager

status commands (try sudo reboot if they don’t recognize the device)

ykman info
opensc-tool -l

check if slot9a exists (used by opensc-pkcs11) and PIN retry counter:

ykman piv info | grep -A 7 9a

if not, generate one with:

ykman piv keys generate 9a pubkey.pem
ykman piv certificates generate --subject "hikalium" 9a pubkey.pem
ykman piv info | grep -A 7 9a

extract pubkey as needed (PIV AUTH pubkey should be used for ssh auth)

ssh-keygen -D `dpkg -L opensc-pkcs11 | grep /opensc-pkcs11.so | head -n 1`

add key to ssh agent (Please note that the PIN is different from PGP User/Admin PIN!!!!)

killall ssh-agent ; eval `ssh-agent` && ykman info && ssh-add -s `dpkg -L opensc-pkcs11 | grep /opensc-pkcs11.so | head -n 1` 

now you should be able to ssh

ssh vega

workaround for sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey" from agent: agent refused operation erro on ssh

# based on: https://github.com/Yubico/yubico-piv-tool/issues/319
gpg-connect-agent updatestartuptty /bye

create device local key for the ChromeOS host via Crostini

ssh-keygen -t ed25519 -f /mnt/chromeos/MyFiles/keys/id_ed25519
cat /mnt/chromeos/MyFiles/keys/id_ed25519.pub

Hint: lookup live hosts

nmap -sP -R

Hint: To restart the crostini container, hit Ctrl-Alt-T while focusing on a browser window to open crosh, and run:

vmc stop termina
vmc start termina


Ubuntu on VMware


Mac OSXでopensc-tool --list-readersNo smart card readers found.と言ってくる話



/Applications/YubiKey\ Manager.app/Contents/MacOS/ykman list
/Applications/YubiKey\ Manager.app/Contents/MacOS/ykman info