Using a YubiKey for SSH authentication
This is a guide for using a YubiKey for SSH authentication.
There are plenty of guides about how to do this. I find they focus too much on GPG and management of GPG keys. If you don't care about GPG except as an avenue to SSH authentication, then this guide is for you.
I've written this guide for Debian GNU/Linux. The instructions will likely work with minor tweaks for other distributions.
apt-get install gnupg pcscd scdaemon.
- Plug in your YubiKey.
gpg --card-edit. You'll be at a GPG prompt.
adminto enter admin mode.
generateto generate a GPG key.
- gpg will ask whether you want an off card backup of your GPG key. Say no.
- gpg will ask for your admin PIN. By default this is 12345678.
- gpg will ask for your regular PIN. By default this is 123456.
- gpg will ask for the key's expiry date. Choose 0 for no expiry.
- gpg will ask for your name, email, and a comment about the key.
- After you choose okay it will take about 30 seconds to generate the key.
- You'll be back at the gpg prompt. Exit.
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf.
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket). This means we use gpg-agent instead of ssh-agent.
- Get the SSH public key:
ssh-add -L. You'll see something like
- Put the key into a host's
~/.ssh/authorized_keysfile as usual.
- ssh as usual.
You'll want to do this as well:
- Add the
export SSH_AUTH_SOCK [etc]command to your
~/.bashrcso that ssh always uses gpg-agent instead of ssh-agent.
- Change the PINs on your keys. See here for an example of doing that (in the example section).
If you find gpg-agent isn't prompting you for your PIN in a nice way, you might also want to do these:
gpg-connect-agent updatestartuptty /bye > /dev/nullso gpg-agent knows where to ask for a PIN. You may want this in your
- You may want to add aliases for
scpso that you run
gpg-connect-agentimmediately prior to them. This helps ensure that the PIN entry dialogue goes to the correct tty.
alias ssh="gpg-connect-agent updatestartuptty /bye > /dev/null; ssh"
alias scp="gpg-connect-agent updatestartuptty /bye > /dev/null; scp"
gpg: OpenPGP card not available: No SmartCard daemon
gpg: OpenPGP card not available: No such device
sign_and_send_pubkey: signing failed: agent refused operation
gpg-connect-agent updatestartuptty /bye.
References and other guides