How to use gpg and yubikey for ssh
Jan 29, 2020 • 530 words • 3 min read
A friend of mine told me recently that he wanted to get a yubikey and was asking if and how he could use it for SSH. I pointed him at my previous post about GPG and yubikeys and I realised I had left out the SSH-related configuration.
Table of contents
How it works
The basic idea is straight forward: You have on your yubikey a gpg-key with the Authentication flag enabled (see subkeys section in my previous post), the gpg-agent is exposing it in an ssh-compatible way and your ssh is configured to use it.
The steps below are tested on an Ubuntu 18.04 with gpg 2.2.4 and libcrypt 1.8.1. Check the official site about latest versions and whether or not they are still supported.
Step 1 - Configure your gpg-agent
Add the following lines to your ~/.gnupg/gpg-agent.conf
:
enable-ssh-support
# You can also define how long the keys gpg and ssh keys will be cached for
# These are the default values in seconds
default-cache-ttl 600
max-cache-ttl 7200
default-cache-ttl-ssh 600
max-cache-ttl-ssh 7200
What this will do is create a socket that SSH can use to use the key from the gpg agent.
Step 2 - Configure SSH
Now all we have to do is tell SSH where that socket is so that it can use it.
SSH uses the SSH_AUTH_SOCK
environment variable to do that and we can use the following
oneliner to set it to the right path:
$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
Setting the GPG_AGENT_INFO variable
While recent versions of gpg don't use this variable, you may need to set it if you are running a different version of the gpg-agent.
$ export GPG_AGENT_INFO="$(gpgconf --list-dirs agent-socket):0:1"
You can find more details about this in this twitter thread.
Putting everything together
To summarise, you basically need to run these two commands to add the 2 lines in the right places.
$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
$ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bashrc
Reload your environment and, with your yubikey in place, you should be able to get your public SSH key followed by your card number by running
$ ssh-add -L
Put that key on the server/github/gitlab you want to access using your yubikey and you're all set.
Sources
Check out the links below for more information and details about gpg-agent and SSH.
- gpg-agent config file options: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
- How does gpg-agent work: https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work
- What is SSH_AUTH_SOCK: https://superuser.com/questions/845378/what-is-ssh-auth-sock
- How SSH works: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html