Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Use my Yubikey with GPG keys to SSH with a guest computer (OSX or Windows)

→ Great great documentation about all this (probably better): https://github.com/drduh/YubiKey-Guide

Using Yubikey (PIV on osx, etc.)

Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc

To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/

Using GPG key

Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122

You have to install GPG of course ;).

Very good guide here: https://github.com/drduh/YubiKey-Guide

OSX / Linux

Basics

Read the key info to be sure the card is connected:

$ gpg2 --card-status

Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.

$ gpg2 --import < key.asc 

Fetch the private key on the smartcard:

It will download the public key if you don't have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -L

If no, try the gpg2 --card-status again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.

If the key was in the agent before (you lost your card, and you are using your backup card), then you have to remove the cached private key in the ~/.gnupg/private-keys-v1.d directory.
DO NOT REMOVE ALL FILES because if you do, you'll loose all private keys that you have.

You can get the list of all keygrips you would like to remove bu using: gpg2 --list-secret-keys --with-keygrip KEYID.

Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status. If you keep your Yubikey inserted when you reimport the public key you'll have a "no secret key" issue. (see here)

GPG Agent

Put this into your ~/.profile file:

#!/bin/bash
GPG_TTY=$(tty)
export GPG_TTY

if [ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
  export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
fi

A good way to restart the agent is:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

List of used GPG keys for SSH

You can find the list of your key's keygrip into ~/.gnupg/sshcontrol.

In this file you'll find all the keygrips.
If at one moment you need to use a GPG key for SSH without smartcard, you need to add the keygrip into this file.

To find the keygrip of your key (you need to have an authentication subkey A) use the following:

gpg2 --with-keygrip -k

Then find you'll be able to find the keygrip of your A subkey.

Change card (use backup card)

Few steps to follow.

  1. Remove your GPG key from your machine.
  2. Fetch the key using gpg --cart-edit as shown above.
  3. Clear the GPG agent cache if you have to.
  4. You're all set.

Windows

See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html

@antifob

This comment has been minimized.

Copy link

antifob commented May 15, 2017

Using fetch to import the private key somewhat implies that it is publicly available.

@jacquesbh

This comment has been minimized.

Copy link
Owner Author

jacquesbh commented Aug 16, 2017

@uqam-fob No. Using fetch implies that you retrieve the public key if it doesn't exist on the machine, or not if it exists already, and it links the card to the public key. That's all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.