Using Yubikey for GPG & SSH authentication

I got myself a Yubikey 4 and spent several hours trying to get it to work with both GPG & SSH agents. I tried several different ways and this way consistantly works.

NOTE - this guide assumes you already have the GPG key on the yubikey and you just need to load the public key.

Install the yubiclient and smartcard software - OpenSUSE

First install the needed packages

zypper install ykclient ykpers

Insert the Yubikey into the USB port and run this command

ykinfo -v
version: 4.2.8

Fix udev permissions

If you get the following message then we will need to fix permissions.

USB error: Access denied (insufficient permissions)
[[email protected]:~> sudo vim /usr/lib/udev/rules.d/69-yubikey.rules
sudo vim /usr/lib/udev/rules.d/69-yubikey.rules
ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", 
ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", 
OWNER="andrew", MODE="0600"

LABEL="yubico_end"

Change the OWNER value to your user to grant it permissions to use yubikey.

Update udev permissions

udevadm control --reload
udevadm trigger

Now try this again

ykinfo -v
version: 4.2.8

Install the Smartcard software

zypper install pcsc-tools opensc

Now start & enable the pcscd service

sudo systemctl start pcscd.service
sudo systemctl enable pcscd.service

Install GPG key and set the SSH agent

Load the public key into GPG.

If you have your public key on Keybase.io, then its as simple as

curl https://keybase.io/mealies/pgp_keys.asc | gpg --import

Now, make sure the yubikey is plugged in and check GPG can see it.

 gpg2 --card-edit

Reader ...........: 1050:0407:X:0
Application ID ...: D2760021240112010006041583300000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 03128120
Name of cardholder: Andrew Bell
Language prefs ...: 
Sex ..............: 
URL of public key : https://keybase.io/mealies/pgp_keys.asc
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 252
Signature key ....: 67F5 7640 A7A0 AC9F B618  B954 87FF E563 02CD 8995
      created ....: 2017-03-09 18:34:56
Encryption key....: 47E2 4A2D EAd5 7DF9 649E  4646 B6DB 05D8 1883 168B
      created ....: 2017-03-09 18:35:55
Authentication key: 3202 5A83 0F58 D877 962C  86B8 2ACF 9AFC 4FBD C828
      created ....: 2017-03-09 18:36:38
General key info..: sub  rsa4096/87FFE56302CD8995 2017-03-09 Andrew Bell 
<[email protected]>
sec#  rsa4096/68BEB9468C901C69  created: 2017-03-09  expires: 2020-03-08
ssb>  rsa4096/87FFE56302CD8995  created: 2017-03-09  expires: 2020-03-08
                                card-no: 0006 04158030
ssb>  rsa4096/B6FB05D81883168B  created: 2017-03-09  expires: 2020-03-08
                                card-no: 0006 04158030
ssb>  rsa4096/2ACA9AFC4FBDC828  created: 2017-03-09  expires: 2020-03-08
                                card-no: 0006 04158030

Now we need to edit the key and set the trust.

gpg --edit-key <keyID>
gpg> trust
pub  rsa4096/68BEB9468C901C69
     created: 2017-03-09  expires: 2020-03-08  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/87FFE56302CD8995
     created: 2017-03-09  expires: 2020-03-08  usage: S
     card-no: 0006 04158030
ssb  rsa4096/B6FB05D81883168B
     created: 2017-03-09  expires: 2020-03-08  usage: E
     card-no: 0006 04158030
ssb  rsa4096/2ACA9AFC4FBDC828
     created: 2017-03-09  expires: 2020-03-08  usage: A
     card-no: 0006 04158030
[ultimate] (1). Andrew Bell <[email protected]>
[ultimate] (2)  Andrew Bell <[email protected]>

Please decide how far you trust this user to correctly verify other users' 
keys
(by looking at passports, checking fingerprints from different sources, 
etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Configure SSH agent

Enable SSH agent in gpg-agent

First, create the gpg-agent conf file

vim .gnupg/gpg-agent.conf

add the following and save the file

enable-ssh-support

Now we need to restart the gpgagent to enable SSH

gpgconf --kill gpg-agent && gpg-agent --daemon --verbose
gpg-agent[11581]: listening on socket '/run/user/1000/gnupg/S.gpg-agent'
gpg-agent[11581]: listening on socket 
'/run/user/1000/gnupg/S.gpg-agent.extra'
gpg-agent[11581]: listening on socket 
'/run/user/1000/gnupg/S.gpg-agent.browser'
gpg-agent[11581]: listening on socket 
'/run/user/1000/gnupg/S.gpg-agent.ssh'
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
gpg-agent[11582]: gpg-agent (GnuPG) 2.2.5 started

Now export the SSH_AUTH_SOCK variable

SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

Verify the SSH agent

[email protected]:~/Documents/Workspaces/thatopsguy> ssh-add -L
ssh-rsa 
AAAAB2NzaC1yc2EAAAFDAQASADACAQC6a6gI/HpiyEOn96EtioP8oqzb12VMbwSlF2NlmcVDLuWqO6MB/4YEWisD/vYJDSJBft/R5bkwfdGVbZSpnzCRyiX1ZtDlTlUFgASj6JjpuQMhp3BxUN2hMLd4T77j4VnXjQjXR650UFBKTEP31OIuLz9hhAaNH8gU2ulankcHEVGPYAy/DMQTML8bdweXG2ebUf2kIFkxVgGIcGSmo8f0Jxwy2dObziQMkjJOuSd5ruiQ5kGs2BNNIN0+TruHVG77HI9zzIJaJRWDH8gD9IlMm1RQm2Pmyi90Jht;m8q6Z11nvg3NVf09N5bDRJ7CMyWGdpDIFN1RZUN6t9dIU0QwIJ/Xb2BzaOFoFF0UcnMqeay0s4FmhpB0raIklx2zhyXJMlbN9mGbD8qzDzT8TJVI4JVtRJxxSdCr/P9sDDfeN3+jl6EKAWOVpREsd6YXYx02UkDZmh9r8I50rPQc/MUayoa2kUoFBPteoEIqht1TcjZ/Vo2MnhCSJB8L2bxEwkcY9slFQzBFjn22mejwKZhvDG4F3pUOTpWOo+OurU6xcAeaRN+W3FFvFqkZzSNb2ZjOTfeZT+qaQ4v4IDNlPZJkh41MHcY0rL5otlZfy9wR8rTrjpwsUcYuBrIxTu5F8BGpdlRrWXQv7n0O1ije8kc8YxpUYITBomyScKY6RLBcaw== 
cardno:000604221030

Running ssh-add -l as above should now return the public key. You can now use this key as the ssh public key on your remote systems. Make sure to include all the text including cardno:xxxxxxxxx

Add the public key to Github (or any server you can test) and try connecting

You should get a window to enter your yubikey PIN

Yubikey PIN prompt

Hi mealies! You've successfully authenticated, but GitHub does not provide 
shell access.

Clean Up

Add

SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK; 

to your .bash_profile so that the ssh agent is linked to the GPG agent, and therefore your Yubikey in every session.