Using an OpenPGP key on Yubikey Neo as a SSH key, fish shell v2.2.0, Elementarty OS Loki v0.4, gpg2 v2.1.11, gpg-agent v2.1.11

yubikey-openpgp-for-ssh-authentication.md

1. Install tools

• gpg2, gpg-agent etc.

2. Generate OpenPGP keys (primary key and subkeys [sign&certify, encrypt and authentication])

3. Export OpenPGP keys into your Yubikey (|| Import OpenPGP keys into your Yubikey)

• see developers.yubico.com[...]/Importing_keys.html
• Make sure the Yubikey is shown gpg2 --card-status

3. Make sure your public key is imported on your local machine

4. Add your ssh key to the remote server

• Grep the ID for the subkey for authentication, e.g. ABCDEFFF
• set subkeyId (gpg2 --list-secret-keys | grep '\[A\]' | cut -d'/' -f 2 | cut -d' ' -f 1)
• Export the subkey, convert it to a ssh key and store this key in authorized_keys.export
• gpg2 --export-options export-minimal,no-export-attributes --export-secret-subkeys $subkeyId! | openpgp2ssh $subkeyId > ~/authorized_keys.export
• Add the ssh key located in ~/authorized_keys.export on your local machine to ~/.ssh/authorized_keys on your remote machine

5. Use gpg-agent for ssh auth

• Enable ssh support within gpg-agent
• echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
• Restart
• gpg-connect-agent killagent /bye
• gpgconf --kill gpg-agent

6. Set configuration in fish

• Create gnupg.fish, where gpg-agent is started and SSH_AUTH_SOCK is set

echo '
gpgconf --launch gpg-agent
set -e SSH_AUTH_SOCK
set -U -x SSH_AUTH_SOCK ~/.gnupg/S.gpg-agent.ssh' >> ~/.config/fish/gnupg.fish

• Autoload gnupg.fish on start
• echo 'source ~/.config/fish/gnupg.fish' >> ~/.config/fish/config.fish
• Reload fish config
• source ~/.config/fish/config.fish