Yubikeys are able to store your gpg private keys which allows you to perform encryption, signing, and authentication more securely since the private keys are only accessible from the Yubikey, when it’s plugged in.
Today I’ll explorer the authentication key. It’s possible to leverage your gpg authentication private key for ssh public key authentication. This mechanism allows passwordless authentication using the ssh protocol. Windows, Linux, and MacOSX have supported clients and this post will explorer how to achieve this.
In order to use the gpg authentication key to execute passwordless ssh logins you’ll first need to install gpg4win. When downloading this program, as an exercise I challenge you to also verify the integrity of your downloaded binary. With gpg4win installed, you’ll need to modify a number of configuration files. First, edit and append your authentication keygrip to the file
%APPDATA%/gnupg/sshcontrol To find your keygrip issue,
> gpg --list-keys --with-keygrip
Next, open the file
%APPDATA%/gnupg/gpg-agent.conf and append the below text to it,
You may also need to import your ssh-keys from the Yubikey. From the command line issue,
> gpg --card-edit gpg/card> fetch
putty already has support for gpg-agent, which I believe is started by the Kleopatra applciation that handles gpg key management. This is all that needs to be done!
Ubuntu / Linux and MacOS X
The procedure for setting up gpg authentication over ssh on a Ubuntu is similar but has a few extra steps. Edit
~/.gnupg/gpg-agent.conf and add the below,
~/.gnupg/gpg.conf and append,
I also added the following to me
export GPG_TTY=`tty` export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh gpg-connect-agent UPDATESTARTUPTTY /bye > /dev/null
Some useful commands
Starting gpg-agent –
gpgconf --launch gpg-agent
Kill gpg-agent –
gpgconf --kill gpg-agent