The YubiKey 4 and YubiKey NEO support the OpenPGP interface for smart cards which can be used with GPG4Win for encryption and signing, as well as for SSH authentication. These in turn can be used by several other useful tools, like Git, pass, etc. This guide will help you set up the required software for getting things to work. IPWorks SSH allows developers to rapidly build SSH secured applications including secure file transfer, secure remote login, secure email, and more. SSH is a low-level communications protocol providing security via strong encryption and advanced cryptography. Users of the IPWorks SSH can use hardware tokens to authenticate to their SFTP server.
It's been a long time since my last blogpost, but I'm back with a post about how to use your Yubikey 4 for GPG and SSH keys.
The rather small Yubikeys are sold by Yubico and I obtained two as part of a student offer last year. You can find a detailed product description on their website.
My goal was to use them as two-factor devices, because I do not like the mobile- or tan-based two-factor authentication approach. The reasoning behind this is, that while travelling through certain countries, receiving text messages can cost up to multiple euros and one does not travel with his tan list...
A small piece of hardware that I can attach to my key ring should solve the problems in my opinion :) However, it turned out, that a Yubikey can also be used as a GPG smartcard, which in turn can be used to authenticate against SSH servers. Fancy! ;)
There are several good tutorials that helped with my setup and you should read them and/or google a bit. Especially this one has some invaluable comments and hints, that you shouldn't miss! Simply because this won't be a detailed step-by-step guide!
A Yubikey can act as a GPG smartcard allowing us to safely store our private GPG keys on it. I won't go into detail on how to create GPG keys, but I will assume that you have a masterkey and three subkeys:
- One for signing [S] (e.g. Emails)
- One for encryption [E] (e.g. Emails)
- One for authentication [A] (e.g. SSH)
Plug your Yubikey into a free USB port and make sure that gpg --card-status shows it:
Edit your GPG key you want to store on the Yubikey with gpg --edit-key AAAABBBB. Use the keytocard command to send the private keys to the Yubikey. Note that this step is destructive and it will delete the private keys from your computer! Make sure to have a backup of your master keys!
If that step succeeded, the gpg --card-status command should show the different subkeys in the overview:
To check if everything works as intended, we can create an encrypted message and decrypt it:
Do not forget to set the PINs for the admin/non-admin commands of gpg --card-edit!
The SSH key is derived from the private key on your Yubikey. If you haven't followed the steps of the previous section, you should definitely do so.
First, make sure that the Yubikey is plugged into an USB port and it has an authentication key stored.
You can then export your SSH public key using the following command:
Upload this public key to your servers or wherever you need to authenticate with the SSH key.
To use the key, you have to configure the GPG agent to enable SSH support and act as a SSH agent:
Stop and restart all runnig GPG/SSH agents:
Furthermore, we need to unset the SSH_AUTH_SOCK, so add the following lines into your ~/.bashrc:
With your Yubikey still plugged in, you should see your SSH key when running the ssh-add command:
Yubikey Ssh Mac
That's all! SSH will now use the SSH key from your Yubikey, so don't forget to plug it in, before running ssh server.
-=-
Google uses cookies and data to:Yubikey Ssh Macos
- Deliver and maintain services, like tracking outages and protecting against spam, fraud, and abuse
- Measure audience engagement and site statistics to understand how our services are used
Yubico Ssh Key
If you agree, we’ll also use cookies and data to:Yubikey Ssh Ed25519
- Improve the quality of our services and develop new ones
- Deliver and measure the effectiveness of ads
- Show personalized content, depending on your settings
- Show personalized or generic ads, depending on your settings, on Google and across the web
Yubikey Ssh
For non-personalized content and ads, what you see may be influenced by things like the content you’re currently viewing and your location (ad serving is based on general location). Personalized content and ads can be based on those things and your activity like Google searches and videos you watch on YouTube. Personalized content and ads include things like more relevant results and recommendations, a customized YouTube homepage, and ads that are tailored to your interests.Yubikey Ssh Github
Click “Customize” to review options, including controls to reject the use of cookies for personalization and information about browser-level controls to reject some or all cookies for other uses. You can also visit g.co/privacytools anytime.