Skip to content

Instantly share code, notes, and snippets.

@cagerton cagerton/ Secret
Last active Aug 29, 2015

What would you like to do?
Why you're getting a Yubikey Neo

WARNING: THIS IS HELLA OUT OF DATE! See the in the ops repo!

Why you're getting a Yubikey Neo

(audience: Karmic Labs engineering team)

You're smart. You use full disk encryption. You have a passphrase on your ssh key, perhaps even pbkdf2+pkcs8 if you're really paranoid. Unfortunately that shell command you pasted in from that site the other week had some hidden shellcode that you didn't notice... or was it that neat little utility that you downloaded after reading the hacker news article? Doesn't matter, they got the private key files. Now they can get cracking on their own terms or phish away with fake keychain/ssh-askpass popups. You'll never know until your account logs in from halfway around the world and tries to snag a snapshot of our prod databases.

On the other hand, if you'd just use the a Neo to manage your RSA keys, your ssh keys won't be on your laptop. This little thing signs ssh handshakes on its own doped-silicon-turf instead handing the keys over to some userland program. Hell, it'll eat your damn keys if you get your password wrong six times in a row. If this thing gets stolen then you'll either know about it or have a knot on your head when you wake up. (Disclaimer: a malicious program could still use your ssh keys from your computer while your yubikey is plugged and authenticated or if your SSH agent is forwarded to a compromised host)

YubiKey for SSH on MacOS

The YubiKey NEO[-Nano] contains a Javacard loaded with an openpgp applet. This will let you securely genrate & store RSA keys for ssh + gpg (you do encrypt your secrets, right?).

  • brew install ykpers (yubikey personalization)
  • Configure the Yubikey to enable ccid ykpersonalize -m82 (NOTE: DOUBLE CHECK IN man ykpersonalize)
  • Install gpg2 with gpg-agent. should work.
  • Use gpg2 --card-edit to generate keys. Note the key id values.
  • Make sure you update both the pin AND the admin pin.
  • Run gpg2 --card-status and pick out the "Authentication Key" - the last 8 hex digits make "key id"
  • Extract the ssh public key with gpgkey2ssh <8-hex-digit-key-id>
  • Start gpg-agent: gpg-agent --daemon --enable-ssh-support --log-file ~/.gpg-agent.log --write-env-file "~/.gpg-agent-info" (note, this may need
  • When you're ready to use that ssh key: source ~/.gpg-agent-info
  • List keys with ssh-add -l ... you sould see one with a card id.
  • Note: source ~/.gpg-agent-info takes over from ssh-agent in that shell; add to ~/.(bash|zsh)_profile if you want gpg agent to take over always.

YubiKey notes from Ubuntu

(This section from Garrett)

gpg2 --card-status may error. Gnome keyring is in the way and will cause you to question your sanity.

Here are a few notes to help keep guide the way. Do these before you follow the MacOS setup instructions for Yubikey.

  • sudo apt-get install gnupg2 gpgsm gnupg-agent
  • cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart
  • cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
  • Edit the ~/.config/autostart/gnome-keyring-*.desktop files, change NoDisplay from true to false. NoDisplay=false
  • Search for the 'Startup Applications' in Unity (windows key). Launch it, then uncheck 'GPG Password Agent' and 'SSH Key Agent', close.
  • Log out and then log back in to apply these changes.

gpg2 --card-status should function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.