Yubikey4 and gpg-agent: Difference between revisions
Revision as of 23:35, 9 February 2016 (view source)
Cdentinger (talk | contribs)
(caution and formatting)
← Older edit
Revision as of 23:36, 9 February 2016 (view source)
Cdentinger (talk | contribs)
m (grammar)
Newer edit →
Line 12:Line 12:

{{Caution|No longer works in GnuPG 2.1+ due to [https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart this] change.}}{{Caution|Does not work in GnuPG 2.1+ due to [https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart this] change.}}

== Generate an authentication key ==== Generate an authentication key ==
Revision as of 23:36, 9 February 2016
Using the Yubikey4 for ssh key generation and storage as well as one-time-password generation. There are a ton of guides to a ton of subtly different methods of doing basically this, I mean only to provide a simple explanation of what worked for me.
Use gpg-agent instead of ssh-agent
Disable ssh-agent if it is running. Use the script provided here which is essentially keychain but for gpg-agent. I put it in .bashrc rather than .xsession:
if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then eval $(< $XDG_RUNTIME_DIR/gpg-agent-info) else eval $(gpg-agent --daemon --enable-ssh-support --write-env-file $XDG_RUNTIME_DIR/gpg-agent-info) fi export GPG_AGENT_INFO export SSH_AUTH_SOCK
Does not work in GnuPG 2.1+ due to this change.
Generate an authentication key
I used the method described here to generate the authentication subkey on the Yubikey itself:
$ gpg2 --edit-key YOURKEY gpg> addcardkey
Select authentication, provide expiry, create the key, and save. gpg2 -K should show the new key, and gpgkey2ssh AUTHKEY should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.
This page was last edited on 9 February 2016, at 23:36.
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.
Privacy policy
About Wikitech
Code of Conduct
Mobile view
Cookie statement

Create accountLog in
ReadView sourceView history
Visit the main pageMain pageRecent changesServer admin log: ProdAdmin log: RelEngIncident statusDeploymentsSRE Team HelpCloud VPS portalToolforge portalRequest VPS projectAdmin log: Cloud VPSWhat links hereRelated changesSpecial pagesPermanent linkPage informationCite this pageCreate a bookDownload as PDFPrintable version