A friend of mine told me recently that he wanted to get a yubikey and was asking if and how he could use it for SSH. I pointed him at my previous post about GPG and yubikeys and I realised I had left out the SSH-related configuration.
- How it works
How it works
The basic idea is straight forward: You have on your yubikey a gpg-key with the Authentication flag enabled (see subkeys section in my previous post), the gpg-agent is exposing it in an ssh-compatible way and your ssh is configured to use it.
The steps below are tested on an Ubuntu 18.04 with gpg 2.2.4 and libcrypt 1.8.1. Check the official site about latest versions and whether or not they are still supported.
Step 1 - Configure your gpg-agent
Add the following lines to your
enable-ssh-support # You can also define how long the keys gpg and ssh keys will be cached for # These are the default values in seconds default-cache-ttl 600 max-cache-ttl 7200 default-cache-ttl-ssh 600 max-cache-ttl-ssh 7200
What this will do is create a socket that SSH can use to use the key from the gpg agent.
Step 2 - Configure SSH
Now all we have to do is tell SSH where that socket is so that it can use it.
SSH uses the
SSH_AUTH_SOCK environment variable to do that and we can use the following
oneliner to set it to the right path:
$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
Setting the GPG_AGENT_INFO variable
While recent versions of gpg don’t use this variable, you may need to set it if you are running a different version of the gpg-agent.
$ export GPG_AGENT_INFO="$(gpgconf --list-dirs agent-socket):0:1"
You can find more details about this in this twitter thread.
Putting everything together
To summarise, you basically need to run these two commands to add the 2 lines in the right places.
$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf $ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bashrc
Reload your environment and, with your yubikey in place, you should be able to get your public SSH key followed by your card number by running
$ ssh-add -L
Put that key on the server/github/gitlab you want to access using your yubikey and you’re all set.
Check out the links below for more information and details about gpg-agent and SSH.
- gpg-agent config file options: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
- How does gpg-agent work: https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work
- What is SSH_AUTH_SOCK: https://superuser.com/questions/845378/what-is-ssh-auth-sock
- How SSH works: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html