A friend of mine told me recently that he wanted to get a yubikey and was asking if and how he could use it for SSH. I pointed him at my previous post about GPG and yubikeys and I realised I had left out the SSH-related configuration.

Contents

How it works

The basic idea is straight forward: You have on your yubikey a gpg-key with the Authentication flag enabled (see subkeys section in my previous post), the gpg-agent is exposing it in an ssh-compatible way and your ssh is configured to use it.

The steps below are tested on an Ubuntu 18.04 with gpg 2.2.4 and libcrypt 1.8.1. Check the official site about latest versions and whether or not they are still supported.

Step 1 - Configure your gpg-agent

Add the following lines to your ~/.gnupg/gpg-agent.conf:

enable-ssh-support

# You can also define how long the keys gpg and ssh keys will be cached for
# These are the default values in seconds
default-cache-ttl 600
max-cache-ttl 7200

default-cache-ttl-ssh 600
max-cache-ttl-ssh 7200

What this will do is create a socket that SSH can use to use the key from the gpg agent.

Step 2 - Configure SSH

Now all we have to do is tell SSH where that socket is so that it can use it. SSH uses the SSH_AUTH_SOCK environment variable to do that and we can use the following oneliner to set it to the right path:

$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

Setting the GPG_AGENT_INFO variable

While recent versions of gpg don’t use this variable, you may need to set it if you are running a different version of the gpg-agent.

$ export GPG_AGENT_INFO="$(gpgconf --list-dirs agent-socket):0:1"

You can find more details about this in this twitter thread.

Putting everything together

To summarise, you basically need to run these two commands to add the 2 lines in the right places.

$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
$ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bashrc

Reload your environment and, with your yubikey in place, you should be able to get your public SSH key followed by your card number by running

$ ssh-add -L

Put that key on the server/github/gitlab you want to access using your yubikey and you’re all set.

Sources

Check out the links below for more information and details about gpg-agent and SSH.