Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.
Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.
This is a short how-to to get startet with using Yubikey to SSH into your servers.
YubiKey as private SSH key
Install the YubiKey management software.
sudo dnf install yubikey-manager
Check that OpenPGP is enabled on your YubiKey.
Expected output should include the following.
If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we're just doing it the easy way. It should work the second time around.
Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.
ykman openpgp set-pin-retries 3 3 5
Generate OpenPGP key on YubiKey
gpg2 for the rest.
Generate PGP certificate on the key.
gpg2 --edit-card gpg/card> admin gpg/card> generate
Follow the instructions.
Enter the password menu.
Change user PIN, menu
Change admin PIN, menu
3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it with
Set a reset PIN if you want, menu
4. Used to unblock the user PIN.
Exit to shell.
Find your public key and export it to a keyserver.
gpg2 --list-keys --keyid-format long gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys ABCDEF1234567890
You uploaded the key to a pool of machines. Now it's a time to go and fetch a coffee, and let some time go to avoid frustrations while the pool is updating.
Find the URL for your public key on http://pool.sks-keyservers.net:11371.
Go back to the YubiKey and add the URL for the public key.
gpg2 --edit-card gpg/card> admin gpg/card> url
Paste in the URL for the your public key,
Test fetching public key from the keyserver.
Generate a revocation certificate and store it in a safe place. Safe place may be paper or your favorite password manager.
gpg2 --generate-revocation ABCDEF0123456789
Everyting OK! Wohoo!
Change SSH to use gpg-agent
Go to shell and edit your
.bashrc to start
gpg-agent and with SSH support. You will lose your private key and need to revoke it with the revocation certificat.
Add the following.
AGENT=$(gpg-agent --daemon --enable-ssh-support 2>/dev/null) && \ echo "$AGENT" > ~/.gpg-agent-info source ~/.gpg-agent-info
Close your shell and open a new one to reload
.bashrc. If you have problems, kill existing
pkill gpg-agent, close and open the shell again.
Public SSH key
Get your public SSH key.
gpg2 --export-ssh-key ABCDEF0123456789
Add this public SSH key to all your servers
authorized_keys and your good to go :)
YubiKey must be present to log into a server.
If user PIN is entered to many times, it need to be unlocked with reset PIN.
If admin PIN is entered wrong to many times, YubiKey is locked and need to be reset with
ykman. You will lose your private key and need to revoke it with the revocation certificat.