Skip to content

Instantly share code, notes, and snippets.

@FrankSpierings

FrankSpierings/README.MD

Last active June 27, 2024 12:34
Show Gist options
  • Save FrankSpierings/f8022b619d7e49caf4f802d1ccb1f762 to your computer and use it in GitHub Desktop.
Save FrankSpierings/f8022b619d7e49caf4f802d1ccb1f762 to your computer and use it in GitHub Desktop.
Download ZIP
Setup ed25199 YubiKey for SSH (OSX)
Raw
README.MD

YubiKey SSH/GPG

Configure GPG PIN's

  • Change the card user and admin PIN's
$ gpg --edit-card

gpg/card> admin

gpg/card> passwd

Your selection? 3
  • If this has not been done before, enter the default admin PIN: 12345678. This PIN is not the same as the YubiKey PUK code!
    • Change the admin PIN, and store it securely!
Your selection? 1
  • If this has not been done before, enter the default user PIN: 123456. This PIN is not the same as the YubiKey PIN code!
    • Change the user PIN, and store it securely!
Your selection? q

gpg/card> q

Generate ed25519/cv25519 key

$ gpg --edit-card

gpg/card> admin

gpg/card> key-attr
  • Signature key:
Your selection? 2

Your selection? 1

  • Enter the newly defined admin PIN.

  • Encryption key:

Your selection? 2

Your selection? 1

  • Enter the newly defined admin PIN.

  • Authentication key:

Your selection? 2

Your selection? 1
  • Enter the newly defined admin PIN.
gpg/card> generate
  • Make an off-card backup: Y.
  • Enter the user PIN.
  • Define the time for the key (10y for instance) and say if its correct: y.
  • Input your full name.
  • Input your e-mail address.
  • Optionally input a comment.
  • Input the admin PIN.
  • Input a (password manager generated) passphrase.
gpg/card> q
  • Backup the off-card backup file into a password manager: cat ~/.gnupg/sk_<NAME>.gpg| base64
  • Configure gpg-connect-agent:
$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 22 ed25519" /bye
$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 22 cv25519" /bye
  • Start a new shell (window), and check if the key is known
ssh-add -L

  • If the above does not work, something is wrong with SSH_AUTH_SOCK most likely!

  • If the key is shown, place it into a file

FILENAME=~/.ssh/id_ed25519_yubikey.pub
ssh-add -L > "${FILENAME}"
chmod 600 ${FILENAME}
  • Specify the agent to use and prefer this key over others, by creating/modifying ~/.ssh/config:
Host *
    UseKeychain yes
    IdentityAgent ~/.gnupg/S.gpg-agent.ssh
    IdentityFile ~/.ssh/id_ed25519_yubikey.pub
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
  • Create a LaunchDemon to start the gpgagent at MacOs login

~/Library/LaunchAgents/com.gpg-connect-agent.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
            <string>com.gpg-connect-agent.plist</string>

        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/MacGPG2/bin/gpg-connect-agent</string>
            <string>/bye</string>
        </array>

        <key>RunAtLoad</key>
            <true/>

        <key>KeepAlive</key>
            <true/>
    </dict>
</plist>
  • Verify loading the agent:
launchctl load ~/Library/LaunchAgents/com.gpg-connect-agent.plist
ps aux | grep gpg-agent
  • The key can now be distributed by placing the contents of ${FILENAME} into ~/.ssh/authorized_keys on the remote ssh server.

PIN blocked

  • Whenever you typed the PIN wrong 3 times, the PIN will become blocked. You can use gpg2 --change-pin to 2 - unblock PIN, using the OpenPGP Admin PIN to unlock the User PIN.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment