This configuration assumes you have:
- A YubiKey that supports OpenPGP (4, 4 Nano, 4C, or NEO)
- GPGTools (I couldn't get PIN entry, which is required for interfacing to work with any other GPG's version of pinentry)
-
Insert YubiKey into USB port.
-
Run
gpg2 --card-edit, and enteradminat the REPL prompt. -
Enter
passwdand select1to change the PIN (the initial PIN is 123456) -
Enter
passwdagain, this time selecting3to change the Admin PIN (the initial Admin PIN is 12345678) -
Enter
generate, and follow the prompts to create a new PGP key. (An authentication "subkey", which will be used as a private SSH key, will be automatically generated). When prompted "Make off-card backup of encryption key?", select "N". When prompted for your email address, I recommend selecting an email address not associated with any current registered PGP key, to avoid any confusion with your existing PGP encryption workflow. After the key has been generated, enterquitto exit the REPL. -
Add the following lines to
~/.gnupg/gpg-agent.conf:default-cache-ttl 43200 max-cache-ttl 43200 enable-ssh-support -
Add the following lines to your
~/.bash_profile(or another shell startup script):export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent -
Restart the
gpg-agentby running the commands from the step above (or re-sourcing your shell startup script in your current shell). -
Run
ssh-add -Lto display the SSH public key on the YubiKey. Add this public key to theauthorized_keysfile on a server you wish to connect to. Connect as usual usingsshand verify that you are prompted for the PIN you set in Step 5. -
Because this approach replaces any existing
ssh-agentwith the one provided by GPG, you may need to re-add existing SSH keys to the agent now. Do so by runningssh-add path/to/keyfor each private key.
Proposing a step
4.5(and possibly3.5?) to enterQto quit thepasswdcommand. The numeric options remain after updating the PIN and Admin PIN.