diff --git a/content/yubikey_for_everything.md b/content/yubikey_for_everything.md index 3da3659..2099545 100644 --- a/content/yubikey_for_everything.md +++ b/content/yubikey_for_everything.md @@ -1,10 +1,12 @@ Title: Yubikey for EVERYTHING -Date: 2018-06-27T15:17+02:00 +Date: 2018-07-07T23:06+02:00 Author: Wxcafé Category: Slug: content/yubikey_for_everything Header_Cover: //pub.wxcafe.net/img/yubikey_cover.jpeg +###### EDIT: Update 07/07/2018, added `SSH_AUTH_SOCK` information, a few pointers about key generation and backup, and info about gpg-agent's bad behavior. + When I first started at the job I'm currently at at [Gandi](https://gandi.net), I was given a Yubikey NEO, looked into it for a few minutes and quickly decided to not give more thought about it. I put it away and didn't look back, partly @@ -54,7 +56,14 @@ Anyways, here's how to use this thing: - We're gonna start by adding our [GPG subkeys](https://alexcabal.com/creating-the-perfect-gpg-keypair/) to the - yubikey. This is really easy, since the yubikey is detected as a smartcard by + yubikey. That article covers pretty much everything, *except* generating an + Authentication subkey, which is done by doing `gpg --expert --edit-key + `, then `addkey`. You now need to select "(8) RSA (set your own + capabilities)" as the type of key, then type `S` to toggle signing off, `E` to + toggle encryption off, and finally `A` to toggle authentication on. Type `Q` + to confirm and quit, then keep as usual for the key size/expiration date/etc. + You're now done, and we can start by setting up the yubikey. + This is really easy, since the yubikey is detected as a smartcard by gpg: ``` @@ -161,7 +170,10 @@ The default PINs are `123456` for the user PIN and `12345678` for the admin PIN. Do take caution to export the private keys for safekeeping *BEFORE* moving them to the yubikey (the gpg `keytocard` command *MOVES* the keys, after you've run it -*you don't have the private keys available anymore to backup*) +*you don't have the private keys available anymore to backup*) (backups are +easily done with `gpg --armor --export-secret-keys > out.asc` and `gpg +--armor --export-secret-subkeys > subkeys_out.asc`. You obviously need +to save these to a secure location.) Now that we've prepped the card, we're gonna move the keys over to it. We're gonna move only the subkeys over, and since we're gonna need to use the yubikey @@ -401,13 +413,32 @@ keys on the card. They're not needed anymore since for a while now, gpg Now we want to use our gpg authentication key with SSH, to log in to our servers. To do that, we need to tell gpg-agent to act as an ssh-agent, by adding a single line to its configuration: `echo 'enable-ssh-support' >> -.gnupg/gpg-agent.conf`. Then we restart gpg-agent (`gpgconf --kill gpg-agent`) -and we should be set. Unplug the key, plug it back in, run `gpg --card-status`, +.gnupg/gpg-agent.conf`. Then we restart gpg-agent (`gpgconf --kill gpg-agent`). +Then, we need to tell ssh to use gpg-agent's socket as its agent. We do this by +adding a small snippet to our `$shrc` (for me, `~/.zshrc`): + +```shell +## use gpg agent as ssh agent +if which gpgconf 2>&1 >>/dev/null ; then + unset SSH_AGENT_PID + if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + fi +fi +``` + +Unplug the key, plug it back in, run `gpg --card-status`, then `ssh-add -L` should show you a public key that ends with `cardno:xxxxxxxxxxxx`. That means it's done, you can now add this public key to `.ssh/authorized_keys` on your remote systems and you should be able to log in with that key. +Oh, and, side note. `gpg-agent` won't actually delete your cached keys when you +`ssh-add -D`, which is fucking bullshit, but in the meantime the solution is to +`gpg-connect-agent`, then `KEYINFO --ssh-list --ssh-fpr` to list the cached +keys, and then you can `DELETE_KEY ` that particular key, with the +fingerprint being the part right after KEYINFO. Quit by saying `/bye` + --- ### X.509 key and certificate storage