Skip to content

Instantly share code, notes, and snippets.

@fancyremarker
Last active October 2, 2019 13:30
Show Gist options
  • Save fancyremarker/d9782b33161f176da5b7df5c84d1f5d3 to your computer and use it in GitHub Desktop.
Save fancyremarker/d9782b33161f176da5b7df5c84d1f5d3 to your computer and use it in GitHub Desktop.
YubiKey Setup Notes (Draft)

Requirements

This configuration assumes you have:

  • A YubiKey that supports OpenPGP (4, 4 Nano, 4C, or NEO)
  • GPGTools (I couldn't get PIN entry, which is required for interfacing to work with any other GPG's version of pinentry)

Setup

  1. Insert YubiKey into USB port.

  2. Run gpg2 --card-edit, and enter admin at the REPL prompt.

  3. Enter passwd and select 1 to change the PIN (the initial PIN is 123456)

  4. Enter passwd again, this time selecting 3 to change the Admin PIN (the initial Admin PIN is 12345678)

  5. Enter generate, and follow the prompts to create a new PGP key. (An authentication "subkey", which will be used as a private SSH key, will be automatically generated). When prompted "Make off-card backup of encryption key?", select "N". When prompted for your email address, I recommend selecting an email address not associated with any current registered PGP key, to avoid any confusion with your existing PGP encryption workflow. After the key has been generated, enter quit to exit the REPL.

  6. Add the following lines to ~/.gnupg/gpg-agent.conf:

     default-cache-ttl 43200
     max-cache-ttl 43200
     enable-ssh-support
    
  7. Add the following lines to your ~/.bash_profile (or another shell startup script):

     export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
     gpgconf --launch gpg-agent
    
  8. Restart the gpg-agent by running the commands from the step above (or re-sourcing your shell startup script in your current shell).

  9. Run ssh-add -L to display the SSH public key on the YubiKey. Add this public key to the authorized_keys file on a server you wish to connect to. Connect as usual using ssh and verify that you are prompted for the PIN you set in Step 5.

  10. Because this approach replaces any existing ssh-agent with the one provided by GPG, you may need to re-add existing SSH keys to the agent now. Do so by running ssh-add path/to/key for each private key.

References

  1. Easy multifactor authentication for SSH using YubiKey NEO tokens
  2. How to use a GPG key for SSH authentication
@gib
Copy link

gib commented Dec 27, 2017

Proposing a step 4.5 (and possibly 3.5?) to enter Q to quit the passwd command. The numeric options remain after updating the PIN and Admin PIN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment