Yubikey4 and gpg-agent: Difference between revisions

Content deleted Content added

Inline

Revision as of 23:35, 9 February 2016

Using the Yubikey4 for ssh key generation and storage as well as one-time-password generation. There are a ton of guides to a ton of subtly different methods of doing basically this, I mean only to provide a simple explanation of what worked for me.

Use gpg-agent instead of ssh-agent

Disable ssh-agent if it is running. Use the script provided here which is essentially keychain but for gpg-agent. I put it in .bashrc rather than .xsession:

 if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then
     eval $(< $XDG_RUNTIME_DIR/gpg-agent-info)
 else
     eval $(gpg-agent --daemon --enable-ssh-support --write-env-file $XDG_RUNTIME_DIR/gpg-agent-info)
 fi
 export GPG_AGENT_INFO
 export SSH_AUTH_SOCK

Caution:

No longer works in GnuPG 2.1+ due to this change.

Generate an authentication key

I used the method described here to generate the authentication subkey on the Yubikey itself:

 $ gpg2 --edit-key YOURKEY
 gpg> addcardkey

Select authentication, provide expiry, create the key, and save. gpg2 -K should show the new key, and gpgkey2ssh AUTHKEY should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.

I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.

@@ Line 2: / Line 2: @@
 == Use gpg-agent instead of ssh-agent ==
-Disable ssh-agent if it is running. Use the script provided [http://incenp.org/notes/2014/gnupg-for-ssh-authentication.html here] which is essentially [https://github.com/funtoo/keychain keychain] but for gpg-agent. I put it in .bashrc rather than .xsession.
+Disable ssh-agent if it is running. Use the script provided [http://incenp.org/notes/2014/gnupg-for-ssh-authentication.html here] which is essentially [https://github.com/funtoo/keychain keychain] but for gpg-agent. I put it in .bashrc rather than .xsession:
   if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then
@@ Line 11: / Line 11: @@
   export GPG_AGENT_INFO
   export SSH_AUTH_SOCK
+{{Caution|No longer works in GnuPG 2.1+ due to [https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart this] change.}}
 == Generate an authentication key ==
-I used the method [https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ here] to generate the authentication subkey on the Yubikey itself.
+I used the method described [https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ here] to generate the authentication subkey on the Yubikey itself:
   $ gpg2 --edit-key YOURKEY
   gpg> addcardkey
-Select authentication, provide expiry, create the key, and save. `gpg2 -K` should show the new key, and `gpgkey2ssh AUTHKEY` should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
+Select authentication, provide expiry, create the key, and save. <code>gpg2 -K</code> should show the new key, and <code>gpgkey2ssh AUTHKEY</code> should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.
 I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.