Using a YubiKey for SSH authentication
This is a guide for using a YubiKey for SSH authentication.
There are plenty of guides about how to do this. I find they focus too much on GPG and management of GPG keys. If you don't care about GPG except as an avenue to SSH authentication, then this guide is for you.
I've written this guide for Debian Linux. The instructions will likely work with minor tweaks for other distributions.
Steps
apt-get install gnupg pcscd scdaemon
.- Plug in your YubiKey.
- Run
gpg --card-edit
. You'll be at a GPG prompt. - Enter
admin
to enter admin mode. - Enter
generate
to generate a GPG key. - gpg will ask whether you want an off card backup of your GPG key. Say no.
- gpg will ask for your admin PIN. By default this is 12345678.
- gpg will ask for your regular PIN. By default this is 123456.
- gpg will ask for the key's expiry date. Choose 0 for no expiry.
- gpg will ask for your name, email, and a comment about the key.
- After you choose okay it will take about 30 seconds to generate the key.
- You'll be back at the gpg prompt. Exit.
- Run
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
. - Run
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
. This means we use gpg-agent instead of ssh-agent. - Get the SSH public key:
ssh-add -L
. You'll see something likessh-rsa [etc]
. - Put the key into a host's
~/.ssh/authorized_keys
file as usual. - ssh as usual.
You'll want to do this as well:
- Add the
export SSH_AUTH_SOCK [etc]
command to your~/.bashrc
so that ssh always uses gpg-agent instead of ssh-agent. - Change the PINs on your keys. See here for an example of doing that (in the example section).
If you find gpg-agent isn't prompting you for your PIN in a nice way, you might also want to do these:
- Run
gpg-connect-agent updatestartuptty /bye > /dev/null
so gpg-agent knows where to ask for a PIN. You may want this in your~/.bashrc
. - You may want to add aliases for
ssh
andscp
so that you rungpg-connect-agent
immediately prior to them. This helps ensure that the PIN entry dialogue goes to the correct tty.alias ssh="gpg-connect-agent updatestartuptty /bye > /dev/null; ssh"
alias scp="gpg-connect-agent updatestartuptty /bye > /dev/null; scp"
Gotchas
gpg: OpenPGP card not available: No SmartCard daemon
Install scdaemon.
gpg: OpenPGP card not available: No such device
Install pcscd.
sign_and_send_pubkey: signing failed: agent refused operation
Run gpg-connect-agent updatestartuptty /bye
.
References and other guides
- https://florin.myip.org/blog/easy-multifactor-authentication-ssh-using-yubikey-neo-tokens
- https://www.jfry.me/articles/2015/gpg-smartcard/
- https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4
- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
- https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh
- https://github.com/drduh/YubiKey-Guide
Comments
Posted by peter
at
GJ!!!