Skip to content

Instantly share code, notes, and snippets.

@jacquesbh

jacquesbh/Use Yubikey (GPG key) for SSH.md

Last active January 3, 2024 14:59
Show Gist options
  • Save jacquesbh/79d3bbf6cdde41800491f55f13c1d8f0 to your computer and use it in GitHub Desktop.
Save jacquesbh/79d3bbf6cdde41800491f55f13c1d8f0 to your computer and use it in GitHub Desktop.
Download ZIP
Use my Yubikey with GPG keys to SSH with a guest computer (OSX or Windows)
Raw
Use Yubikey (GPG key) for SSH.md

Great great documentation about all this (so much better): https://github.com/drduh/YubiKey-Guide

Using Yubikey (PIV on osx, etc.)

Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc

To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/

Using GPG key

Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122

You have to install GPG of course ;).

Very good guide here: https://github.com/drduh/YubiKey-Guide

OSX / Linux

Basics

Read the key info to be sure the card is connected:

$ gpg2 --card-status

Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.

$ gpg2 --import < key.asc

Fetch the private key on the smartcard:

It will download the public key if you don't have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -L

If no, try the gpg2 --card-status again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.

If the key was in the agent before (you lost your card, and you are using your backup card), then you have to remove the cached private key in the ~/.gnupg/private-keys-v1.d directory.
DO NOT REMOVE ALL FILES because if you do, you'll loose all private keys that you have.

You can get the list of all keygrips you would like to remove bu using: gpg2 --list-secret-keys --with-keygrip KEYID.

Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status. If you keep your Yubikey inserted when you reimport the public key you'll have a "no secret key" issue. (see here)

GPG Agent

Put this into your ~/.profile file:

#!/bin/bash
GPG_TTY=$(tty)
export GPG_TTY

if [ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
  export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
fi

A good way to restart the agent is:

killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)

List of used GPG keys for SSH

You can find the list of your key's keygrip into ~/.gnupg/sshcontrol.

In this file you'll find all the keygrips.
If at one moment you need to use a GPG key for SSH without smartcard, you need to add the keygrip into this file.

To find the keygrip of your key (you need to have an authentication subkey A) use the following:

gpg2 --with-keygrip -k

Then find you'll be able to find the keygrip of your A subkey.

Change card (use backup card)

Insert the backup key and run:

gpg-connect-agent "scd serialno" "learn --force" /bye

Windows

See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html

@antifob
Copy link

antifob commented May 15, 2017

Using fetch to import the private key somewhat implies that it is publicly available.

@jacquesbh
Copy link
Author

@uqam-fob No. Using fetch implies that you retrieve the public key if it doesn't exist on the machine, or not if it exists already, and it links the card to the public key. That's all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment