Yubikey4 and gpg-agent: Difference between revisions
Cdentinger (talk | contribs) m grammar |
m fix "here" as/in link label |
||
(One intermediate revision by one other user not shown) | |||
Line 2: | Line 2: | ||
== Use gpg-agent instead of ssh-agent == |
== Use gpg-agent instead of ssh-agent == |
||
Disable ssh-agent if it is running. Use |
Disable ssh-agent if it is running. Use [http://incenp.org/notes/2014/gnupg-for-ssh-authentication.html the script provided], which is essentially [https://github.com/funtoo/keychain keychain] but for gpg-agent. I put it in .bashrc rather than .xsession: |
||
if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then |
if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then |
||
Line 15: | Line 15: | ||
== Generate an authentication key == |
== Generate an authentication key == |
||
I used the method described [https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ |
I used the method described [https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ in this blog post] to generate the authentication subkey on the Yubikey itself: |
||
$ gpg2 --edit-key YOURKEY |
$ gpg2 --edit-key YOURKEY |
||
Line 23: | Line 23: | ||
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior. |
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior. |
||
[[Category:How-To]] |
Latest revision as of 17:34, 10 September 2023
Using the Yubikey4 for ssh key generation and storage as well as one-time-password generation. There are a ton of guides to a ton of subtly different methods of doing basically this, I mean only to provide a simple explanation of what worked for me.
Use gpg-agent instead of ssh-agent
Disable ssh-agent if it is running. Use the script provided, which is essentially keychain but for gpg-agent. I put it in .bashrc rather than .xsession:
if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then eval $(< $XDG_RUNTIME_DIR/gpg-agent-info) else eval $(gpg-agent --daemon --enable-ssh-support --write-env-file $XDG_RUNTIME_DIR/gpg-agent-info) fi export GPG_AGENT_INFO export SSH_AUTH_SOCK
Caution: | Does not work in GnuPG 2.1+ due to this change. |
Generate an authentication key
I used the method described in this blog post to generate the authentication subkey on the Yubikey itself:
$ gpg2 --edit-key YOURKEY gpg> addcardkey
Select authentication, provide expiry, create the key, and save. gpg2 -K
should show the new key, and gpgkey2ssh AUTHKEY
should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.