I got my brand new Yubikey 4 the other day and decided to transfer my pgp subkeys over to it for safer keeping. After about 10 minutes i bricked the damn thing. Well, more specifically, the OpenPGP applet. Yubico has reset instructions, but all their docs refer to the Yubikey Neo. After contacting support, they told me to follow the instructions for the Neo to reset the applet. I was then able to import my keys fairly easily.
Now that my keys were on the Yubikey i thought it would be fun to setup SSH on my RaspberryPi to use use my PGP keys for auth. The process seemed simple enough except that it took me all night to figure out. I googled the shit out of it and came up with everything but the answer. Hopefully this will help someone else when they run into the same problems i had.
Note: This assumes you’ve got a working Yubikey with a valid authentication subkey already on the key.
Setup your Client (Windows 10 and Putty in my case)
Follow these instructions on Yubico’s site. They are pretty much correct. The only difference i’m seeing now is that i didn’t have to manually start the gpg-agent with a startup shortcut like they said. But I may just be doing something different.
What they leave out is exactly how to configure putty. Once you have the gpg-agent running with “enable-putty-support”, you need to configure a Putty to allow agent forwarding.
Open up putty and go to Connections > SSH > Auth and check the box that says “Allow agent forwarding.”
That’s all you have to do on the client. The rest needs to be done on the server.
Setup your Server (RaspberryPI running Raspbian Jessie Lite in my case)
This is where Yubico’s documentation and google was a bit hazy. I was able to get it working with various links but i had to piece it all together. This post was probably the most helpful. Though he goes into a lot of other stuff not applicable.
First thing i had to do was install gnupg2. This installs gpg-agent that support SSH authentication.
$ sudo apt-get install gnupg2
Next we need to enable the gpg-agent ssh agent:
$ echo enable-ssh-support >> .gnupg/gpg-agent.conf
Now logout of your ssh session and back in so gpg-agent can enable it’s ssh agent.
We can test to make sure that Putty is forwarding the gpg-agent on your PC to your ssh session by listing the current fingerprints/public key represented by the agent:
$ ssh-add -l 4096 4b:92:1e:c9:3f:b2:72:74:13:78:94:43:48:d6:66:2b cardno:000500001BDE (RSA)
Lastly, we need to add your public key to the authorized_keys file so you can login. We will use the same command as above but using the -L switch instead. This puts it into the proper format:
$ ssh-add -L >> ~/.ssh/authorized_keys
That’s it. Just logout and log back in using the putty settings mentioned above.