WARNING: THIS IS HELLA OUT OF DATE! See the readme.md in the ops repo!
Why you're getting a Yubikey Neo
(audience: Karmic Labs engineering team)
You're smart. You use full disk encryption. You have a passphrase on your ssh key, perhaps even pbkdf2+pkcs8 if you're really paranoid. Unfortunately that shell command you pasted in from that site the other week had some hidden shellcode that you didn't notice... or was it that neat little utility that you downloaded after reading the hacker news article? Doesn't matter, they got the private key files. Now they can get cracking on their own terms or phish away with fake keychain/ssh-askpass popups. You'll never know until your account logs in from halfway around the world and tries to snag a snapshot of our prod databases.
On the other hand, if you'd just use the a Neo to manage your RSA keys, your ssh keys won't be on your laptop. This little thing signs ssh handshakes on its own doped-silicon-turf instead handing the keys over to some userland program. Hell, it'll eat your damn keys if you get your password wrong six times in a row. If this thing gets stolen then you'll either know about it or have a knot on your head when you wake up. (Disclaimer: a malicious program could still use your ssh keys from your computer while your yubikey is plugged and authenticated or if your SSH agent is forwarded to a compromised host)
YubiKey for SSH on MacOS
The YubiKey NEO[-Nano] contains a Javacard loaded with an openpgp applet. This will let you securely genrate & store RSA keys for ssh + gpg (you do encrypt your secrets, right?).
brew install ykpers(yubikey personalization)
- Configure the Yubikey to enable ccid
ykpersonalize -m82(NOTE: DOUBLE CHECK IN
gpg-agent. https://gpgtools.org/ should work.
gpg2 --card-editto generate keys. Note the key id values.
- Make sure you update both the pin AND the admin pin.
gpg2 --card-statusand pick out the "Authentication Key" - the last 8 hex digits make "key id"
- Extract the ssh public key with
- Start gpg-agent:
gpg-agent --daemon --enable-ssh-support --log-file ~/.gpg-agent.log --write-env-file "~/.gpg-agent-info"(note, this may need
- When you're ready to use that ssh key:
- List keys with
ssh-add -l... you sould see one with a card id.
source ~/.gpg-agent-infotakes over from ssh-agent in that shell; add to ~/.(bash|zsh)_profile if you want gpg agent to take over always.
YubiKey notes from Ubuntu
(This section from Garrett)
gpg2 --card-status may error.
Gnome keyring is in the way and will cause you to question your sanity.
Here are a few notes to help keep guide the way. Do these before you follow the MacOS setup instructions for Yubikey.
sudo apt-get install gnupg2 gpgsm gnupg-agent
cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
- Edit the ~/.config/autostart/gnome-keyring-*.desktop files, change NoDisplay from true to false. NoDisplay=false
- Search for the 'Startup Applications' in Unity (windows key). Launch it, then uncheck 'GPG Password Agent' and 'SSH Key Agent', close.
- Log out and then log back in to apply these changes.
gpg2 --card-status should function.