Setting up Yubikey with SSH and Git on Windows 10 + Powershell

yubikey-windows10.md

Setting up Yubikey with SSH and Git on Windows 10 + Powershell

Based on the following guides:

• https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on-windows-complete-walkthrough/
• https://scatteredcode.net/signing-git-commits-using-yubikey-on-windows/
• https://bhavik.io/2019/02/02/yubikey-git-ssh.html

Install dependencies

• Install Gpg4win
• Install PuTTY

Set up new PINs for yubikey

• Open Powershell
• Set up new PINs:
  • Tip: the PINs doesn't have to be numeric-only

  gpg --expert --edit-card
  > admin
  > factory-reset # optional step
  > passwd
  # choose 1 to change PIN
  # default PIN is 123456
  # choose 3 to change Admin PIN
  # default PIN is 12345678
  > q
  > forcesig
  > quit
  

• Add identification data

  gpg --expert --edit-card
  > admin
  > name
  # type your last names
  # and then your first names
  > lang
  # type your preference language (e.g., en)
  

• Check keys: gpg --expert --card-status

Create a GPG key using Kleopatra

• Go to Tools > Manage smartcard
• Click on Generate new keys (I recommend creating a RSA 4096 key)

Configure Kleopatra to allow SSH support

• In Kleopatra, click on Settings > Configure Kleopara
• Select GnuPG System
• Go to the tab Private Keys
• Check Enable ssh support and Enable putty support
• Click on Apply settings

Configure Git to use yubikey

• Run this command to add Github to the list of known hosts and avoid a freezing issue using git: plink -agent -v [email protected]
  • If this command fails with an FATAL ERROR: No supported authentication methods available (server sent: publickey) error, try restarting the GPG Agent
• Verify that the key is set up correctly: gpg --list-secret-keys --keyid-format LONG
  • Look for something like sec > rsa4096/683AB68D867FEB5C.
  • The key is the string after rsa4060/
• Point Git to globally use GnuPG:

  git config --global gpg.program "c:\Program Files\GnuPG\bin\gpg.exe"
  git config --global commit.gpgsign true
  git config --global user.signingkey KEY_FROM_THE_PREVIOUS_STEP
  git config --global core.sshcommand "plink -agent"
  

• If you haven't set up your Git user data, do it now:

  git config --global user.email [email protected]
  git config --global user.name "Your Full Name Here"
  

• Generate a public SSH key: gpg --export-ssh-key [email protected] > id_rsa.pub
• Add the public key into your Github account

Add your GPG Public Key to Github

• Open Kleopatra, double-click on your click, click Export...
  • Make sure you are exporting the public key. It should start with "-----BEGING PBP PUBLIC KEY BLOCK-----"
• Copy the key
• Go into Github
• Click on your profile image
• Click on Settings
• On the sidebar, click on SSH and GPG Keys
• Click on New GPG Key
• Paste the key

Accessing servers via SSH

• Instead of using the ssh command on Powershell, you have to use the plink command: plink username@server

Exporting your certificates

• On Kleopatra main screen, select your certificates
• Go to File > Export...
• Select a place to store your OpenPGP certificates

Importing your certificates

• On Kleopatra main screen, go to File > Import...
• Select your OpenPGP certificates files

To set a certificate trust level

• On Powershell, list the existing keys: gpg --list-secret-keys --keyid-format LONG
  • If no key show up, try restarting the GPG Agent
• To edit a key: gpg --edit-key KEYID
• To set trust level to ultimate:

trust
5 # to trust completely (ultimate)
y # to confirm your decision
save

Restarting GPG agent

• If you have issues connecting to your smartkey, try restarting the GPG Agent:

gpg-connect-agent killagent /bye
gpg-connect-agent /bye

That's it

Now you're all set. When using git or ssh, it should get the private key from your Yubikey and ask for its PIN number.

Enjoy :)

is it possible to do this with the 'gpg' that comes with "Git Bash" without using the Gpg4Win?

Hmm, I'm not sure that the yubikey card is accessible via git bash. I've just ran gpg --expert --card-status using git bash and it failed to detect my yubikey. If you manage to get it working please let me know 👍

Git Bash use another configuration folder: $HOME/.gnupg and you need to restart gpg agent through Git Bash shell.

I keep getting the FATAL ERROR: No supported authentication methods available (server sent: publickey).
Sadly restarting gpg doesnt help.
Key is registered though, shows up in kleopatra but doesnt work anyway...

is it possible to do this with the 'gpg' that comes with "Git Bash" without using the Gpg4Win?

Hmm, I'm not sure that the yubikey card is accessible via git bash. I've just ran gpg --expert --card-status using git bash and it failed to detect my yubikey. If you manage to get it working please let me know 👍

FYI from the end of this blog post by I Am Justyn:

git-bash installs its own version of gpg and that takes precedence in the PATH

git-bash comes pre-installed with a whole bunch of gpg* binaries located in <git-bash-install-dir>\usr\bin\. When using this version of gpg, git bash (elevated or not) cannot access the yubikey. You can install gpg4win with choco.

,... And from this gist by BoGnY, you can tell git-bash to use the alternate gpg binary with:

$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe"