Skip to content

Instantly share code, notes, and snippets.

@eqyiel

eqyiel/Use Yubikey (GPG key) for SSH.md

Forked from jacquesbh/Use Yubikey (GPG key) for SSH.md
Created August 2, 2020 11:49
Show Gist options
  • Save eqyiel/87d5c35854ec49f20cbc2ccbe3989c32 to your computer and use it in GitHub Desktop.
Save eqyiel/87d5c35854ec49f20cbc2ccbe3989c32 to your computer and use it in GitHub Desktop.
Download ZIP
Use my Yubikey with GPG keys to SSH with a guest computer (OSX or Windows)
Raw
Use Yubikey (GPG key) for SSH.md

→ Great great documentation about all this (probably better): https://github.com/drduh/YubiKey-Guide

Using Yubikey (PIV on osx, etc.)

Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc

To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/

Using GPG key

Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122

You have to install GPG of course ;).

Very good guide here: https://github.com/drduh/YubiKey-Guide

OSX / Linux

Basics

Read the key info to be sure the card is connected:

$ gpg2 --card-status

Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.

$ gpg2 --import < key.asc

Fetch the private key on the smartcard:

It will download the public key if you don't have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -L

If no, try the gpg2 --card-status again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.

If the key was in the agent before (you lost your card, and you are using your backup card), then you have to remove the cached private key in the ~/.gnupg/private-keys-v1.d directory.
DO NOT REMOVE ALL FILES because if you do, you'll loose all private keys that you have.

You can get the list of all keygrips you would like to remove bu using: gpg2 --list-secret-keys --with-keygrip KEYID.

Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status. If you keep your Yubikey inserted when you reimport the public key you'll have a "no secret key" issue. (see here)

GPG Agent

Put this into your ~/.profile file:

#!/bin/bash
GPG_TTY=$(tty)
export GPG_TTY

if [ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
  export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
fi

A good way to restart the agent is:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

List of used GPG keys for SSH

You can find the list of your key's keygrip into ~/.gnupg/sshcontrol.

In this file you'll find all the keygrips.
If at one moment you need to use a GPG key for SSH without smartcard, you need to add the keygrip into this file.

To find the keygrip of your key (you need to have an authentication subkey A) use the following:

gpg2 --with-keygrip -k

Then find you'll be able to find the keygrip of your A subkey.

Change card (use backup card)

Few steps to follow.

  1. Remove your GPG key from your machine.
  2. Fetch the key using gpg --cart-edit as shown above.
  3. Clear the GPG agent cache if you have to.
  4. You're all set.

Windows

See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment