Yubikey4 and gpg-agent
Using the Yubikey4 for ssh key generation and storage as well as one-time-password generation. There are a ton of guides to a ton of subtly different methods of doing basically this, I mean only to provide a simple explanation of what worked for me. Use gpg-agent instead of ssh-agent Disable ssh-agent if it is running. Use the script provided here which is essentially keychain but for gpg-agent. I put it in .bashrc rather than .xsession: if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then
eval $(< $XDG_RUNTIME_DIR/gpg-agent-info)
else
eval $(gpg-agent --daemon --enable-ssh-support --write-env-file $XDG_RUNTIME_DIR/gpg-agent-info)
fi
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
| Caution: | No longer works in GnuPG 2.1+ due to this change. |
Generate an authentication key I used the method described here to generate the authentication subkey on the Yubikey itself: $ gpg2 --edit-key YOURKEY
gpg> addcardkey
Select authentication, provide expiry, create the key, and save. gpg2 -K should show the new key, and gpgkey2ssh AUTHKEY should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.
This page was last edited on 9 February 2016, at 23:35.