Skip to content

Instantly share code, notes, and snippets.

@thaarok

thaarok/Yubikey.md

Last active June 27, 2024 16:35
Show Gist options
  • Save thaarok/d42e296e4b3612f72b2f2f270b5dbbfa to your computer and use it in GitHub Desktop.
Save thaarok/d42e296e4b3612f72b2f2f270b5dbbfa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Yubikey.md

Yubikey for SSH

First hardware key setup

Replace "MyYubikeyName" with a nickname for the hardware key:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:MyYubikeyName -O verify-required

SSH client setup - FIDO + Mac

(from https://riedstra.dev/2023/12/ssh-sk-keys-on-macos)

brew install openssh
brew install theseal/ssh-askpass/ssh-askpass

cd .ssh
ssh-keygen -K

Miracle fix:

export SSH_ASKPASS=ssh-askpass
export SSH_ASKPASS_REQUIRE=force

#shellcheck disable=SC2120
checkSSHAgent() {
	if [ "$1" = "-k" ] ; then
		pkill -9 ssh-agent
	fi

	ssh_agent_conf="$HOME/.ssh/agent"
	if [ -e "$ssh_agent_conf" ] ; then
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
	#shellcheck disable=SC2009
	if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
		|| ! [ -e "$ssh_agent_conf" ] \
		|| [ -z "$SSH_AGENT_PID" ] ; \
	then
		ssh-agent -s | grep -v echo > "$ssh_agent_conf"
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
}

checkSSHAgent

SSH client setup - FIDO + Ubuntu

Install askpass:

sudo apt install ssh-askpass-gnome

Generate SSH key file from the inserted Yubikey token:

cd ~/.ssh
ssh-keygen -K

Avoid starting Gnome Keyring SSH agent (grc-ssh-agent) - disable "SSH Key Agent" startup:

gnome-session-properties

Start standard ssh-agent on each login:

nano ~/.config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
# DISPLAY required for ssh-askpass to work
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/ssh-add          
ExecStop=kill -15 $MAINPID

[Install]
WantedBy=default.target

systemctl --user daemon-reload
systemctl --user restart ssh-agent.service

https://forum.manjaro.org/t/configuring-ssh-agent-to-autostart-and-automatically-add-ssh-keys-to-it/99715

Set SSH_AUTH_SOCK:

nano ~/.profile

SSH_AUTH_SOCK="/run/user/$UID/ssh-agent.socket"

Gnome - avoid shortcuts inhibiting dialog

nano ~/.local/share/applications/gnome-ssh-askpass.desktop
[Desktop Entry]
Name=GNOME ssh-askpass
GenericName=ssh-askpass
Type=Application
Exec=/usr/bin/ssh-askpass
Terminal=false

Testing

Without fall to a different key:

ssh servername -i .ssh/id_ed25519_sk_rk_XXX -o "IdentitiesOnly=yes"

GPG + Ubuntu

https://curiouslynerdy.com/gpg-agent-for-ssh-on-ubuntu/

echo enable-ssh-support > ~/.gnupg/gpg-agent.config
systemctl --user restart gpg-agent

(make sure your removed setting SSH_AUTH_SOCK from ~/.profile)

Troubleshotting:

gpg --card-status
gpgconf --kill gpg-agent
pkill gpg-agent

Old notes

eval "$(ssh-agent -k)" # kill old
eval "$(ssh-agent)" # start and set env
ssh-add # add all keys in .ssh

Sudo using yubikey:

https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F https://kubos.cz/2021/01/30/u2f-login-ubuntu

sudo apt install libpam-u2f pamu2fcfg -u jkalina >> /etc/u2f_mappings

Open sudo config /etc/pam.d/sudo, then above line @include common-auth add:

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Parameter “cue” means that propt for key will be displayed.

sudo systemctl disable --global gcr-ssh-agent.socket
sudo systemctl disable --global gcr-ssh-agent.service
systemctl disable --user gcr-ssh-agent.socket
systemctl disable --user gcr-ssh-agent.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment