Skip to content

Instantly share code, notes, and snippets.

@istais

istais/Use Yubikey (GPG key) for SSH.md

Forked from jacquesbh/Use Yubikey (GPG key) for SSH.md
Created July 9, 2018 21:20
Show Gist options
  • Save istais/7a3bed92a235b6ad2c2d966684342627 to your computer and use it in GitHub Desktop.
Save istais/7a3bed92a235b6ad2c2d966684342627 to your computer and use it in GitHub Desktop.
Download ZIP
Use my Yubikey with GPG keys to SSH with a guest computer (OSX or Windows)
Raw
Use Yubikey (GPG key) for SSH.md

Using Yubikey (PIV on osx, etc.)

Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc

To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/

Using GPG key

Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122

You have to install GPG of course ;).

Very good guide here: https://github.com/drduh/YubiKey-Guide

OSX / Linux

Basics

Read the key info to be sure the card is connected:

$ gpg2 --card-status

Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.

$ gpg2 --import < key.asc

Fetch the private key on the smartcard:

It will download the public key if you don't have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -l

If no, try the gpg2 --card-status again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.

If the key was in the agent before (you lost your card, and you are using your backup card), then you can remove the cached keys in the ~/.gnupg/private-keys-v1.d directory.
You can safely remove all the items in this directory, it is just cache.

GPG Agent

Put this into your ~/.profile file:

#!/bin/bash
gpg-agent --daemon --enable-ssh-support \
      --write-env-file "${HOME}/.gpg-agent-info"
if [ -f "${HOME}/.gpg-agent-info" ]; then
   . "${HOME}/.gpg-agent-info"
  export GPG_AGENT_INFO
  export SSH_AUTH_SOCK
  export SSH_AGENT_PID
fi

GPG_TTY=$(tty)
export GPG_TTY

A good way to restart the agent is:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
. ~/.profile

Change card (use backup card)

Few steps to follow.

  1. Remove your GPG key from your machine.
  2. Fetch the key using gpg --cart-edit as shown above.
  3. Clear the GPG agent cache if you have to.
  4. You're all set.

Windows

See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment