petersellars/yubikey.sh

## yubikey.sh
# On Ubuntu/Mint you will need the yubico ppa if you want the Yubico management
# tools

# NB. It appears the yubikey-personalization is no longer maintained by Yubico,
# so at some point may want to remove the yubikey-personalization installed
# applications

sudo -E apt-add-repository -y ppa:yubico/stable
sudo -E apt-get -qy update
sudo -E apt-get -qy install yubikey-personalization-gui \
        yubikey-personalization \
        yubikey-manager-qt \
        yubikey-manager \
        yubioath-desktop

# pcscd, pcsc-tools, scdaemon and gpg2 are required as well

sudo -E apt-get -qy install pcscd \
        pcsc-tools \
        scdaemon \
        gnupg2

# Enforce usage of gpg2, create a symlink

sudo -E ln -sfn /usr/bin/gpg2 /usr/local/bin/gpg

# Add this to ~/.bashrc
#export GPG_TTY=$(tty)
#gpg-connect-agent updatestartuptty /bye
#unset SSH_AGENT_PID
#export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

# Enable GnuPG agents

cat > ~/.gnupg/gpg.conf << EOF
use-agent
EOF

cat > ~/.gnupg/gpg-agent.conf << EOF
enable-ssh-support
EOF

echo "GnuPG agents configured"

# You may like to install a pinentry GUI, as the pinentry-curses CLI tool always
# uses the tty it was started in.
# sudo -E apt-get -qy install pinentry-qt

# Use update-alternatives to use the installed GUI
# sudo -E update-alternatives --config pinentry

# Next Steps
# - SSH Keys
# -- References
# --- https://www.engineerbetter.com/blog/yubikey-ssh/
# --- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
# --- https://opensource.com/article/19/4/gpg-subkeys-ssh
# --- https://mikebeach.org/2017/09/07/yubikey-gpg-key-for-ssh-authentication/
# -- Generate Key on Yubikey (admin, generate, fetch)
# - 2FA
# -- References
# --- https://www.engineerbetter.com/blog/yubikey-2fa/
# --- https://www.1strategy.com/blog/2018/05/08/lock-down-your-aws-account-with-yubikey/
	# On Ubuntu/Mint you will need the yubico ppa if you want the Yubico management
	# tools

	# NB. It appears the yubikey-personalization is no longer maintained by Yubico,
	# so at some point may want to remove the yubikey-personalization installed
	# applications

	sudo -E apt-add-repository -y ppa:yubico/stable
	sudo -E apt-get -qy update
	sudo -E apt-get -qy install yubikey-personalization-gui \
	yubikey-personalization \
	yubikey-manager-qt \
	yubikey-manager \
	yubioath-desktop

	# pcscd, pcsc-tools, scdaemon and gpg2 are required as well

	sudo -E apt-get -qy install pcscd \
	pcsc-tools \
	scdaemon \
	gnupg2

	# Enforce usage of gpg2, create a symlink

	sudo -E ln -sfn /usr/bin/gpg2 /usr/local/bin/gpg

	# Add this to ~/.bashrc
	#export GPG_TTY=$(tty)
	#gpg-connect-agent updatestartuptty /bye
	#unset SSH_AGENT_PID
	#export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

	# Enable GnuPG agents

	cat > ~/.gnupg/gpg.conf << EOF
	use-agent
	EOF

	cat > ~/.gnupg/gpg-agent.conf << EOF
	enable-ssh-support
	EOF

	echo "GnuPG agents configured"

	# You may like to install a pinentry GUI, as the pinentry-curses CLI tool always
	# uses the tty it was started in.
	# sudo -E apt-get -qy install pinentry-qt

	# Use update-alternatives to use the installed GUI
	# sudo -E update-alternatives --config pinentry

	# Next Steps
	# - SSH Keys
	# -- References
	# --- https://www.engineerbetter.com/blog/yubikey-ssh/
	# --- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
	# --- https://opensource.com/article/19/4/gpg-subkeys-ssh
	# --- https://mikebeach.org/2017/09/07/yubikey-gpg-key-for-ssh-authentication/
	# -- Generate Key on Yubikey (admin, generate, fetch)
	# - 2FA
	# -- References
	# --- https://www.engineerbetter.com/blog/yubikey-2fa/
	# --- https://www.1strategy.com/blog/2018/05/08/lock-down-your-aws-account-with-yubikey/