Yubikey-FIDO.md

Yubikey for SSH

• Ref: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
• Gnome-keyring issue: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101

First hardware key setup - FIDO

Replace "MyYubikeyName" with a nickname for the hardware key:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:MyYubikeyName -O verify-required

SSH client setup - FIDO + Mac

(from https://riedstra.dev/2023/12/ssh-sk-keys-on-macos)

brew install openssh
brew install theseal/ssh-askpass/ssh-askpass

cd .ssh
ssh-keygen -K

Miracle fix:

export SSH_ASKPASS=ssh-askpass
export SSH_ASKPASS_REQUIRE=force

#shellcheck disable=SC2120
checkSSHAgent() {
	if [ "$1" = "-k" ] ; then
		pkill -9 ssh-agent
	fi

	ssh_agent_conf="$HOME/.ssh/agent"
	if [ -e "$ssh_agent_conf" ] ; then
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
	#shellcheck disable=SC2009
	if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
		|| ! [ -e "$ssh_agent_conf" ] \
		|| [ -z "$SSH_AGENT_PID" ] ; \
	then
		ssh-agent -s | grep -v echo > "$ssh_agent_conf"
		#shellcheck disable=SC1090
		. "$ssh_agent_conf"
	fi
}

checkSSHAgent

SSH client setup - FIDO + Ubuntu

Install askpass:

sudo apt install ssh-askpass-gnome

Generate SSH key file from the inserted Yubikey token:

cd ~/.ssh
ssh-keygen -K

Avoid starting Gnome Keyring SSH agent (grc-ssh-agent) - disable "SSH Key Agent" startup:

gnome-session-properties

Start standard ssh-agent on each login:

nano ~/.config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
# DISPLAY required for ssh-askpass to work
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/ssh-add          
ExecStop=kill -15 $MAINPID

[Install]
WantedBy=default.target

systemctl --user daemon-reload
systemctl --user restart ssh-agent.service

https://forum.manjaro.org/t/configuring-ssh-agent-to-autostart-and-automatically-add-ssh-keys-to-it/99715

Set SSH_AUTH_SOCK:

nano ~/.profile

SSH_AUTH_SOCK="/run/user/$UID/ssh-agent.socket"

Gnome - avoid shortcuts inhibiting dialog

nano ~/.local/share/applications/gnome-ssh-askpass.desktop
[Desktop Entry]
Name=GNOME ssh-askpass
GenericName=ssh-askpass
Type=Application
Exec=/usr/bin/ssh-askpass
Terminal=false

Testing

Without fall to a different key:

ssh servername -i .ssh/id_ed25519_sk_rk_XXX -o "IdentitiesOnly=yes"

Old notes

eval "$(ssh-agent -k)" # kill old
eval "$(ssh-agent)" # start and set env
ssh-add # add all keys in .ssh

Sudo using yubikey:

https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F https://kubos.cz/2021/01/30/u2f-login-ubuntu

sudo apt install libpam-u2f pamu2fcfg -u jkalina >> /etc/u2f_mappings

Open sudo config /etc/pam.d/sudo, then above line @include common-auth add:

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Parameter “cue” means that propt for key will be displayed.

sudo systemctl disable --global gcr-ssh-agent.socket
sudo systemctl disable --global gcr-ssh-agent.service
systemctl disable --user gcr-ssh-agent.socket
systemctl disable --user gcr-ssh-agent.service

Yubikey-OpenPGP.md

Yubikey for SSH

GPG + Ubuntu

https://curiouslynerdy.com/gpg-agent-for-ssh-on-ubuntu/

echo enable-ssh-support > ~/.gnupg/gpg-agent.config
systemctl --user restart gpg-agent

~~(make sure your removed setting SSH_AUTH_SOCK from ~/.profile)~~

Into .bashrc add:

# use GPG agent as an SSH agent - for KDE/kubuntu
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"

Troubleshotting:

gpg --card-status
gpgconf --kill gpg-agent
gpgconf --kill all
pkill gpg-agent

No such device trouleshotting 1

First option:

# Force GPG use direct access (not CCID)
nano ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/x86_64-linux-gnu/libpcsclite.so.1
disable-ccid
# use pcscd instead of gnupg internal ccid driver - may even cause the "No such device" issue (see option 2)
# don't add "shared-access" ! removed in newer GnuPG!

# to validate ~/.gnupg/scdaemon.conf:
/usr/lib/gnupg/scdaemon --server

gpgconf --kill scdaemon
gpg --card-status

Second option:

$ gpg --card-status
gpg: selecting card failed: No such device
$ pcsc_scan
$ sudo nano /etc/polkit-1/rules.d/49-pcscd.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.isInGroup("plugdev")) {
        return polkit.Result.YES;
    }
});

$ sudo systemctl restart pcscd
$ gpgconf --kill all
$ gpg --card-status

No key in gpg --list-keys

$ gpg --card-status
...
URL of public key : hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=BEE4B5CAA7566FEF
...
Signature key ....: 1233 1DC3 BB7E DFBD C611  B151 BEE4 B5CA A756 6FEF <= the last 8 bytes are the key id

$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys BEE4B5CAA7566FEF
gpg: key BEE4B5CAA7566FEF: public key "... <...>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-keys

First hardware key setup - GPG

https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP

gpg --card-edit
admin
key-attr
  (2) ECC
  (1) Curve 25519 *default*
generate

# send publickey to a keyserver, store url to yubikey
gpg --keyserver gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID
gpg --edit-card
admin
url
hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=$KEYID
quit

#check
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys $KEYID

Get pubkey for SSH authorized_keys:

gpg --card-status
...
sec>  ed25519/BEE...
gpg --export-ssh-key BEE.....