SSH with YubiKey NEO on Fedora made easy

ยท 569 words ยท 3 minute read

Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.

Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.

This is a short how-to to get startet with using Yubikey to SSH into your servers.

YubiKey as private SSH key ๐Ÿ”—

Pre requests ๐Ÿ”—

  1. Install the YubiKey management software.

     sudo dnf install yubikey-manager

  2. Insert YubiKey

  3. Check that OpenPGP is enabled on your YubiKey.

     ykman info

    Expected output should include the following.

         OPGP:      Enabled

    If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we’re just doing it the easy way. It should work the second time around.

  4. Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.

     ykman openpgp set-pin-retries 3 3 5

Generate OpenPGP key on YubiKey ๐Ÿ”—

Use gpg2 for the rest.

  1. Generate PGP certificate on the key.

     gpg2 --edit-card
 gpg/card> admin
 gpg/card> generate

  2. Follow the instructions.

  3. Optionally set login, lang and sex.

  4. Enter the password menu.

     gpg/card> passwd

    • Change user PIN, menu 1.

    • Change admin PIN, menu 3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it with ykman.

    • Set a reset PIN if you want, menu 4. Used to unblock the user PIN.

  5. Exit to shell. Q, Q.

  6. Find your public key and export it to a keyserver.

     gpg2 --list-keys --keyid-format long
 gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys ABCDEF1234567890

  7. You uploaded the key to a pool of machines. Now it’s a time to go and fetch a coffee, and let some time go to avoid frustrations while the pool is updating.

  8. Find the URL for your public key on http://pool.sks-keyservers.net:11371.

  9. Go back to the YubiKey and add the URL for the public key.

     gpg2 --edit-card
 gpg/card> admin
 gpg/card> url

    Paste in the URL for the your public key, http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xABCDEF0123456789

  10. Test fetching public key from the keyserver.

     gpg/card> fetch

  11. Generate a revocation certificate and store it in a safe place. Safe place may be paper or your favorite password manager.

     gpg2 --generate-revocation ABCDEF0123456789

  12. Everyting OK! Wohoo!

Change SSH to use gpg-agent ๐Ÿ”—

Go to shell and edit your .bashrc to start gpg-agent and with SSH support. You will lose your private key and need to revoke it with the revocation certificat.

vim .bashrc

Add the following.

if ! pgrep -u $USER -f "gpg-agent.*enable-ssh-support" > /dev/null
then
    pkill gpg-agent
    gpg-agent --homedir $HOME/.gnupg --daemon --enable-ssh-support
fi
SSH_AUTH_SOCK=$(gpgconf --list-dir agent-ssh-socket)

Close your shell and open a new one to reload .bashrc. If you have problems, kill existing gpg-agent with pkill gpg-agent, close and open the shell again.

Public SSH key ๐Ÿ”—

Get your public SSH key.

 gpg2 --export-ssh-key ABCDEF0123456789

Add this public SSH key to all your servers authorized_keys and your good to go :)

Caveats ๐Ÿ”—

  • YubiKey must be present to log into a server.

  • If user PIN is entered to many times, it need to be unlocked with reset PIN.

  • If admin PIN is entered wrong to many times, YubiKey is locked and need to be reset with ykman. You will lose your private key and need to revoke it with the revocation certificat.

howto security yubikey