I’d like to start off by sharing what I have as a working (albeit requiring some manual intervention) solution for a Yubikey 4. My workflow assumes that the Yubikey itself has already been prepared for the modes and keys that will be used. In my case I had set it up over a year ago and had a working configuration on my desktop. The steps and configurations that I list are my attempt to make it work on MATE 17.04 on a laptop and are a patchwork of various guides which I have extracted snippets from where I thought it matched.
The outstanding item remaining to be eliminated for my own setup is the current requirement to manually kill gpg-agent and restart it as the normal user with the –daemon and –enable-ssh-support options. But I’m getting ahead of myself. I’ll do my best to describe a reproducible process:
- Install the following packages: pcscd libccid scdaemon opensc pcsc-tools pinentry-curses gnupg2
At this point, the Yubikey should be able to work for things such as generating OTP and web-based 2FA (e.g. Google, Facebook, LastPass).
- I want my Yubikey to be used for ssh such that I never need to generate client specific keys. Once I’ve connected to a server one-time I will be able to login to that server in the future without having to “ssh-copy-id” to it. I want GPG to act as the ssh agent of choice so first I disable the existing OpenSSH agent. Comment out this line in /etc/X11/Xsession.options
#use-ssh-agent
Now navigate to the Startup Applications Preferences in the desktop menu and disable SSH Key Agent from starting automatically. In this case it is dealing with gnome keyring.
I believe this can also be accomplished by adding “X-GNOME-Autostart-enabled=false” to /etc/xdg/autostart/gnome-keyring-ssh.desktop (Note that this would disable autostart for all users so you may want to instead make a copy of the file in your ~/.config/autostart directory)
Log out and then back in.
- Now that we have focused the system down to using GPG we need to ensure it is configured appropriately. Insert your Yubikey. type “gpg2 --card-status” to verify that it able to be read. This should also create the ~/.gnupg directory if it doesn’t already exist. If you have a correct URL already set for a key server you can now use “gpg2 --card-edit” followed by the “fetch” command to download your public keys.
In the ~/.gnupg directory create “gpg-agent.conf” and add the following:
enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
In the “gpg.conf” file, which should already be in the directory, add the following at the bottom:
use-agent
cd to your home directory and edit your “.bashrc” file to add the following:
# Start the gpg-agent if not already running
if ! pgrep -x -u "${USER}" gpg-agent >/dev/null 2>&1; then
gpg-connect-agent /bye >/dev/null 2>&1
fi
# Set SSH to use gpg-agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
fi
GPG_TTY=$(tty)
export GPG_TTY
#Refresh gpg-agent tty in case user switches into an X session
gpg-connect-agent updatestartuptty /bye > /dev/null
Now log out and back in again.
Running “ssh-add -L” should list keys corresponding to your Yubikey. Now is the time to attempt to login to an ssh server (ideally one that already has your public key in its “~/.ssh/authorized_keys” file.
From here you are at the stage where I have found myself stuck in that everything seems to be set correctly but when attempting to ssh to the server it fails. My current workaround is as follows:
pkill gpg-agent
gpg-agent --daemon --enable-ssh-support
This now allows me to ssh to the server where I am presented with the pinentry prompt to enter the passphrase. I believe the issue is that when gpg-agent is launched upon login it is with the wrong effective uid. Killing it and then launching it as the actual user seems to solve this but there must be a better way!