💾 Archived View for koyu.space › vydyck › tech › linux › yubikey-ssh.gmi captured on 2023-07-10 at 14:16:03. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

How to use yubikeys with ssh

Initial setup

Follow drduhs elaborate tutorial:

https://github.com/drduh/YubiKey-Guide

local copy

! pay attention to the keytocard part:

I you want to write multiple copies of the private key, eg to multiple yubikeys, DO NOT SAVE during the keytocard pard (save and quit) but CTRL-C after writing all (3) keys to each yubikey and restart the key-edit part

Using the key on a linux system for gpg and ssh

(SSH|GPG) see if your useraccount can access the yubikey via gpg

gpg --card-status
you may need to install scdaemon if this returns an error
if it still does not work, see if gpg --card-status works as root; this indicates a permission issue; can be solved via udev rule or manual command:

(SSH) When that returns details for you card

echo "use-ssh-agent" > ~/.gnupg/gpg-agent.conf this is a onetime action
gpg-connect-agent;killagent;bye restart the gpg-agent process if the gpg-agent.conf file needed to be created
gpgconf --list-dirs should list an agent-ssh-socket dir; you need to set the SSH_AUTH_SOCK variable to that path
or in one command: export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add -L should now show your public key; you can append this output to the authorized_keys file of your servers, add it to the public key section of your github/gitlab/bitbucket profile, import it as a keypair in amazon ec2, etc...

(GPG) export upload/copy/spread your public key

The card only stores your private key, you must make sure to export public key and make it available to whomever needs to send you encrypted data, including yourself. On other systems you can import it with gpg --import <filename>
to encrypt a file "to" yourself, use gpg -e and give it a part of your name, email address,...