- Ref: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
- Gnome-keyring issue: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101
Replace "MyYubikeyName" with a nickname for the hardware key:
ssh-keygen -t ed25519-sk -O resident -O application=ssh:MyYubikeyName -O verify-required
(from https://riedstra.dev/2023/12/ssh-sk-keys-on-macos)
brew install openssh
brew install theseal/ssh-askpass/ssh-askpass
cd .ssh
ssh-keygen -K
Miracle fix:
export SSH_ASKPASS=ssh-askpass
export SSH_ASKPASS_REQUIRE=force
#shellcheck disable=SC2120
checkSSHAgent() {
if [ "$1" = "-k" ] ; then
pkill -9 ssh-agent
fi
ssh_agent_conf="$HOME/.ssh/agent"
if [ -e "$ssh_agent_conf" ] ; then
#shellcheck disable=SC1090
. "$ssh_agent_conf"
fi
#shellcheck disable=SC2009
if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
|| ! [ -e "$ssh_agent_conf" ] \
|| [ -z "$SSH_AGENT_PID" ] ; \
then
ssh-agent -s | grep -v echo > "$ssh_agent_conf"
#shellcheck disable=SC1090
. "$ssh_agent_conf"
fi
}
checkSSHAgent
Install askpass:
sudo apt install ssh-askpass-gnome
Generate SSH key file from the inserted Yubikey token:
cd ~/.ssh
ssh-keygen -K
Avoid starting Gnome Keyring SSH agent (grc-ssh-agent) - disable "SSH Key Agent" startup:
gnome-session-properties
Start standard ssh-agent on each login:
nano ~/.config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent
[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
# DISPLAY required for ssh-askpass to work
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/ssh-add
ExecStop=kill -15 $MAINPID
[Install]
WantedBy=default.target
systemctl --user daemon-reload
systemctl --user restart ssh-agent.service
Set SSH_AUTH_SOCK:
nano ~/.profile
SSH_AUTH_SOCK="/run/user/$UID/ssh-agent.socket"
nano ~/.local/share/applications/gnome-ssh-askpass.desktop
[Desktop Entry]
Name=GNOME ssh-askpass
GenericName=ssh-askpass
Type=Application
Exec=/usr/bin/ssh-askpass
Terminal=false
Without fall to a different key:
ssh servername -i .ssh/id_ed25519_sk_rk_XXX -o "IdentitiesOnly=yes"
https://curiouslynerdy.com/gpg-agent-for-ssh-on-ubuntu/
echo enable-ssh-support > ~/.gnupg/gpg-agent.config
systemctl --user restart gpg-agent
(make sure your removed setting SSH_AUTH_SOCK from ~/.profile)
Troubleshotting:
gpg --card-status
gpgconf --kill gpg-agent
pkill gpg-agent
eval "$(ssh-agent -k)" # kill old
eval "$(ssh-agent)" # start and set env
ssh-add # add all keys in .ssh
Sudo using yubikey:
https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F https://kubos.cz/2021/01/30/u2f-login-ubuntu
sudo apt install libpam-u2f pamu2fcfg -u jkalina >> /etc/u2f_mappings
Open sudo config /etc/pam.d/sudo, then above line @include common-auth add:
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
Parameter “cue” means that propt for key will be displayed.
sudo systemctl disable --global gcr-ssh-agent.socket
sudo systemctl disable --global gcr-ssh-agent.service
systemctl disable --user gcr-ssh-agent.socket
systemctl disable --user gcr-ssh-agent.service