Guides

Yubikey for SSH

Here is a quick guide for using a yubikey on different platforms for SSH.

Mathias Hedberg

Mathias Hedberg

1 min read
Yubikey for SSH
Photo by Andy Kennedy / Unsplash

This guide assumes that an GPG key is configured for the device beforehand.

macOS

First we install brew:

First we install brew

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then the required packages

brew install gnupg2 pinetry-mac

Now edit ~/.gnupg/gpg-agent.conf

pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120

Next Create ~/.zprofile

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

A quick reboot should give results

Linux

Install deps:

# Fedora
sudo dnf install yubikey-manager

# Ubuntu 20.04 LTS
sudo apt-get -y install scdaemon gnupg2

# Ubuntu general
sudo apt-get -y install pcscd scdaemon gnupg2 pcsc-tools

Edit .gnupg/gpg-agent.conf

enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gnome3

Edit .bashrc

if ! pgrep -u $USER -f "gpg-agent.*enable-ssh-support" > /dev/null
then
    pkill gpg-agent
    gpg-agent --homedir $HOME/.gnupg --daemon --enable-ssh-support
fi
SSH_AUTH_SOCK=$(gpgconf --list-dir agent-ssh-socket)

Keygrip

Some distros will require a keygrip to make use of the SSH key

gpg2 --with-keygrip -k yourkey

Copy the authentication key keygrip string and paste it in a new line in ~/.gnupg/sshcontrol.

Windows

https://chocolatey.org/install

Install dependencies with choco (via powershell admin)

choco install -y git gpg4win pass-winmenu putty.install

Set the git ssh env variable (via same powershell admin)

[System.Environment]::SetEnvironmentVariable('GIT_SSH','C:\Program Files\PuTTY\plink.exe',[System.EnvironmentVariableTarget]::Machine)

Edit gpg-agent using Windows+R notepad %appdata%/gnupg/gpg-agent.conf

enable-putty-support

Restart gpg-agent (new powershell user session)

gpg-connect-agent KILLAGENT /bye

Try to fetch keys. If you get the error "No inquire callback in IPC", try to import the public key via gpg --import pub.key

SSH is sometimes buggy and we cant select yes on the signature question. In that case try this for your ssh connection.

echo y | plink -ssh git@git.site.com -P 22