YubiKey Setup Notes (Draft)

This configuration assumes you have:

A YubiKey that supports OpenPGP (4, 4 Nano, 4C, or NEO)
GPGTools (I couldn't get PIN entry, which is required for interfacing to work with any other GPG's version of pinentry)

Insert YubiKey into USB port.
Run gpg2 --card-edit, and enter admin at the REPL prompt.
Enter passwd and select 1 to change the PIN (the initial PIN is 123456)
Enter passwd again, this time selecting 3 to change the Admin PIN (the initial Admin PIN is 12345678)
Enter generate, and follow the prompts to create a new PGP key. (An authentication "subkey", which will be used as a private SSH key, will be automatically generated). When prompted "Make off-card backup of encryption key?", select "N". When prompted for your email address, I recommend selecting an email address not associated with any current registered PGP key, to avoid any confusion with your existing PGP encryption workflow. After the key has been generated, enter quit to exit the REPL.

Add the following lines to ~/.gnupg/gpg-agent.conf:

 default-cache-ttl 43200
 max-cache-ttl 43200
 enable-ssh-support

Add the following lines to your ~/.bash_profile (or another shell startup script):

 export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
 gpgconf --launch gpg-agent

Restart the gpg-agent by running the commands from the step above (or re-sourcing your shell startup script in your current shell).
Run ssh-add -L to display the SSH public key on the YubiKey. Add this public key to the authorized_keys file on a server you wish to connect to. Connect as usual using ssh and verify that you are prompted for the PIN you set in Step 5.
Because this approach replaces any existing ssh-agent with the one provided by GPG, you may need to re-add existing SSH keys to the agent now. Do so by running ssh-add path/to/key for each private key.

fancyremarker/yubikey-ssh.md