Difference between revisions of "Yubikey4 and gpg-agent"
← Older edit
Newer edit →
Yubikey4 and gpg-agent (view source)
Revision as of 23:35, 9 February 2016
155 BYTES ADDED
,  5 YEARS AGO
caution and formatting
 
== Use gpg-agent instead of ssh-agent ==
Disable ssh-agent if it is running. Use the script provided [http://incenp.org/notes/2014/gnupg-for-ssh-authentication.html here] which is essentially [https://github.com/funtoo/keychain keychain] but for gpg-agent. I put it in .bashrc rather than .xsession.:
 
if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
 
{{Caution|No longer works in GnuPG 2.1+ due to [https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart this] change.}}
 
== Generate an authentication key ==
I used the method described [https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ here] to generate the authentication subkey on the Yubikey itself.:
 
$ gpg2 --edit-key YOURKEY
gpg> addcardkey
 
Select authentication, provide expiry, create the key, and save. `<code>gpg2 -K`</code> should show the new key, and `<code>gpgkey2ssh AUTHKEY`</code> should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
 
I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.
Cdentinger
30
EDITS
Wikitech
Privacy policy
Terms of Use
Desktop
HomeRandomLog in Settings DonateAbout WikitechDisclaimers