SSH with YubiKey NEO on Fedora made easy

Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.

Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.

This is a short how-to to get startet with using Yubikey to SSH into your servers.

YubiKey as private SSH key

Pre requests

  1. Install the YubiKey management software.

    sudo dnf install yubikey-manager
    
  2. Insert YubiKey

  3. Check that OpenPGP is enabled on your YubiKey.

    ykman info
    

    Expected output should include the following.

        OPGP:      Enabled
    

    If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we're just doing it the easy way. It should work the second time around.

  4. Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.

    ykman openpgp set-pin-retries 3 3 5
    

Generate OpenPGP key on YubiKey

Use gpg2 for the rest.

  1. Generate PGP certificate on the key.

    gpg2 --edit-card
    gpg/card> admin
    gpg/card> generate
    
  2. Follow the instructions.

  3. Optionally set login, lang and sex.

  4. Enter the password menu.

    gpg/card> passwd
    
  5. Change user PIN, menu 1.

  6. Change admin PIN, menu 3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it with ykman.

  7. Set a reset PIN if you want, menu 4. Used to unblock the user PIN.

  8. Exit to shell. Q, Q.

  9. Find your public key and export it to a keyserver.

    gpg2 --list-keys --keyid-format long
    gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys ABCDEF1234567890
    
  10. You uploaded the key to a pool of machines. Now it's a time to go and fetch a coffee, and let some time go to avoid frustrations while the pool is updating.

  11. Find the URL for your public key on http://pool.sks-keyservers.net:11371.

  12. Go back to the YubiKey and add the URL for the public key.

    gpg2 --edit-card
    gpg/card> admin
    gpg/card> url
    

Paste in the URL for the your public key, http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xABCDEF0123456789

  1. Test fetching public key from the keyserver.

    gpg/card> fetch
    
  2. Generate a revocation certificate and store it in a safe place. Safe place may be paper or your favorite password manager.

    gpg2 --generate-revocation ABCDEF0123456789
    
  3. Everyting OK! Wohoo!

Change SSH to use gpg-agent

Go to shell and edit your .bashrc to start gpg-agent and with SSH support. You will lose your private key and need to revoke it with the revocation certificat.

vim .bashrc

Add the following.

AGENT=$(gpg-agent --daemon --enable-ssh-support 2>/dev/null) && \
  echo "$AGENT" > ~/.gpg-agent-info
source ~/.gpg-agent-info

Close your shell and open a new one to reload .bashrc. If you have problems, kill existing gpg-agent with pkill gpg-agent, close and open the shell again.

Public SSH key

Get your public SSH key.

 gpg2 --export-ssh-key ABCDEF0123456789

Add this public SSH key to all your servers authorized_keys and your good to go :)

Caveats

  • YubiKey must be present to log into a server.

  • If user PIN is entered to many times, it need to be unlocked with reset PIN.

  • If admin PIN is entered wrong to many times, YubiKey is locked and need to be reset with ykman. You will lose your private key and need to revoke it with the revocation certificat.

vim: set syn=markdown spell spl=en:

Comments