Last week I wrote about how you can generate ssh keys on your Yubikeys and use them. There is another way of keeping your ssh keys secure, that is using your already existing OpenPGP key (along with authentication subkey) on a Yubikey and use it for ssh
.
In this post I am not going to explain the steps on how to move your key to a Yubikey, but only the steps required to start using it for ssh
access. Feel free to have a look at Tumpa if you want an easy way to upload keys to your card.
Enabling gpg-agent for ssh
First we have to add gpg-agent.conf
file with correct configuration. Remember to use a different pinentry
program if you are on Mac or KDE.
❯ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
❯ echo "pinentry-program $(which pinentry-gnome)" >> ~/.gnupg/gpg-agent.conf
❯ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bash_profile
❯ source ~/.bash_profile
❯ gpg --export-ssh-key <KEYID> > ~/.ssh/id_rsa_yubikey.pub
At this moment your public key (for ssh usage) is at ~/.ssh/id_rsa_yubikey.pub
file. You can use it in the ~/.ssh/authorized_keys
file on the servers as required.
We can then restart the gpg-agent
using the following command and then also verify that the card is attached and gpg-agent
can find it.
❯ gpgconf --kill gpg-agent
❯ gpg --card-status
Enabling touch policy on the card
We should also enable touch policy on the card for authentication operation. This means every time you will try to ssh
using the Yubikey, you will have to touch the interface (it will be flashing the light till you touch it).
❯ ykman openpgp keys set-touch aut On
Enter Admin PIN:
Set touch policy of authentication key to on? [y/N]: y
If you still have servers where you have only the old key, ssh
client will be smart enough to ask you the passphrase for those keys.
from Planet Python
via read more
No comments:
Post a Comment