Using your OpenPGP key on Yubikey for ssh
Last week I wrote
about how you can generate ssh keys on your Yubikeys and use them. There is
another way of keeping your ssh keys secure, that is using your already
existing OpenPGP key (along with authentication subkey) on a Yubikey and use it
for ssh
.
In this post I am not going to explain the steps on how to move your key to a
Yubikey, but only the steps required to start using it for ssh
access. Feel
free to have a look at Tumpa if you want an easy way to
upload keys to your card.
Enabling gpg-agent for ssh
First we have to add gpg-agent.conf
file with correct configuration. Remember
to use a different pinentry
program if you are on Mac or KDE.
❯ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
❯ echo "pinentry-program $(which pinentry-gnome)" >> ~/.gnupg/gpg-agent.conf
❯ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bash_profile
❯ source ~/.bash_profile
❯ gpg --export-ssh-key <KEYID> > ~/.ssh/id_rsa_yubikey.pub
At this moment your public key (for ssh usage) is at
~/.ssh/id_rsa_yubikey.pub
file. You can use it in the
~/.ssh/authorized_keys
file on the servers as required.
We can then restart the gpg-agent
using the following command and then also
verify that the card is attached and gpg-agent
can find it.
❯ gpgconf --kill gpg-agent
❯ gpg --card-status
Enabling touch policy on the card
We should also enable touch policy on the card for authentication operation. This means every time you will try to ssh
using the Yubikey, you will
have to touch the interface (it will be flashing the light till you touch it).
❯ ykman openpgp keys set-touch aut On
Enter Admin PIN:
Set touch policy of authentication key to on? [y/N]: y
If you still have servers where you have only the old key, ssh
client will be smart enough to ask you the passphrase for those keys.