Using an OpenPGP key on Yubikey Neo as a SSH key, fish shell v2.2.0, Elementarty OS Loki v0.4, gpg2 v2.1.11, gpg-agent v2.1.11 (original) (raw)
Using an OpenPGP key on Yubikey Neo as a SSH key, fish shell v2.2.0, Elementarty OS Loki v0.4, gpg2 v2.1.11, gpg-agent v2.1.11
1. Install tools
- gpg2, gpg-agent etc.
2. Generate OpenPGP keys (primary key and subkeys [sign&certify, encrypt and authentication])
3. Export OpenPGP keys into your Yubikey (|| Import OpenPGP keys into your Yubikey)
- see developers.yubico.com[...]/Importing_keys.html
- Make sure the Yubikey is shown
gpg2 --card-status
3. Make sure your public key is imported on your local machine
4. Add your ssh key to the remote server
- Grep the ID for the subkey for authentication, e.g. ABCDEFFF
set subkeyId (gpg2 --list-secret-keys | grep '\[A\]' | cut -d'/' -f 2 | cut -d' ' -f 1)- Export the subkey, convert it to a ssh key and store this key in authorized_keys.export
gpg2 --export-options export-minimal,no-export-attributes --export-secret-subkeys <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>s</mi><mi>u</mi><mi>b</mi><mi>k</mi><mi>e</mi><mi>y</mi><mi>I</mi><mi>d</mi><mo stretchy="false">!</mo><mi mathvariant="normal">∣</mi><mi>o</mi><mi>p</mi><mi>e</mi><mi>n</mi><mi>p</mi><mi>g</mi><mi>p</mi><mn>2</mn><mi>s</mi><mi>s</mi><mi>h</mi></mrow><annotation encoding="application/x-tex">subkeyId! | openpgp2ssh </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal">s</span><span class="mord mathnormal">u</span><span class="mord mathnormal" style="margin-right:0.03148em;">bk</span><span class="mord mathnormal" style="margin-right:0.03588em;">ey</span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal">d</span><span class="mclose">!</span><span class="mord">∣</span><span class="mord mathnormal">o</span><span class="mord mathnormal">p</span><span class="mord mathnormal">e</span><span class="mord mathnormal">n</span><span class="mord mathnormal">p</span><span class="mord mathnormal" style="margin-right:0.03588em;">g</span><span class="mord mathnormal">p</span><span class="mord">2</span><span class="mord mathnormal">ss</span><span class="mord mathnormal">h</span></span></span></span>subkeyId > ~/authorized_keys.export- Add the ssh key located in ~/authorized_keys.export on your local machine to ~/.ssh/authorized_keys on your remote machine
5. Use gpg-agent for ssh auth
- Enable ssh support within gpg-agent
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf- Restart
gpg-connect-agent killagent /byegpgconf --kill gpg-agent
6. Set configuration in fish
- Create gnupg.fish, where gpg-agent is started and SSH_AUTH_SOCK is set
echo ' gpgconf --launch gpg-agent set -e SSH_AUTH_SOCK set -U -x SSH_AUTH_SOCK ~/.gnupg/S.gpg-agent.ssh' >> ~/.config/fish/gnupg.fish
- Autoload gnupg.fish on start
echo 'source ~/.config/fish/gnupg.fish' >> ~/.config/fish/config.fish- Reload fish config
source ~/.config/fish/config.fish