Jump to content

Yubikey 5 Create SSH Key [Guide - Ubuntu]


buzzkillb
 Share

Recommended Posts

How to create an SSH key on a Yubikey 5 using GPG on Ubuntu 20.04.

Yubikey 5c https://amzn.to/3dFvg4A
Yubikey 5 nfc https://amzn.to/3gr4UoJ

I am using VM Player as the test subject. Edit the .vmx file if you are using this and add these 3 lines to the end to passthrough the Yubikey. Restart vmplayer and passthrough.

usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"
usb.quirks.device0 = "0x1050:0x0407 allow"

Reference: https://www.engineerbetter.com/blog/yubikey-ssh/

I just installed all the yubikey stuff, you can do these 1 by 1 for what you need or just throw them all in.

sudo apt install opensc-pkcs11 yubikey-personalization scdaemon libpam-u2f libpam-yubico yubikey-personalization-gui yubikey-manager

Use GPG agent

cat <<EOF >> ~/.bashrc
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
EOF

then

. ~/.bashrc

To check if the Yubikey is being seen by Ubuntu type

gpg --card-status

If you want to change your pins, this is the command

gpg --change-pin

I would test the steps out before editting pins and messing around with more stuff, lets get to editing

gpg --card-edit
admin
generate

Make off-card backup of encryption key? N

I chose to expire my key in 3 years so I typed

3y

Is this correct? Y

image.png.a3bb68ca2d16904fafd782d355dbbf5f.png

Fill in a name and email address.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

quit

Check your ssh key

ssh-add -L

and it spits the SSH key out

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRELbQ3izu+ckrwPgKTdmck89xrOaSv1Kp0vY1ShWYbjyALOvEL9Okd23bjzCcS3h/0t5R5HZs3Ej0cOpupa/Ls4E6DwFs7hC6bMjSdDu/I0490ONH6LOYWE5T5GCuuPNmMRBVX7mmCAXzUIkBFvimzspAIY+w2pkQ2bk+dOC+IMG70DsDPv54+LBm7IpgWth+wZLppacVYMgpARX38ounHU8pxEOxEodf5Vzx+jCxX7swYBM0Ujw+5+Kg+8c00oWB/6MM1mIdTepqH4hRIkw0AVMhEFqnC/qOrr4aZ9e8Bd5B27sTKwPlmX0oe7Uw46G72MZ6/bLc8qgjjIeIOzUj cardno:000613493497

To move the yubikey to another VM I did the edit vmx file, passed the yubikey through to vmplayer and then

sudo apt install opensc-pkcs11 yubikey-personalization scdaemon libpam-u2f libpam-yubico yubikey-personalization-gui yubikey-manager

Use GPG agent

cat <<EOF >> ~/.bashrc
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
EOF

then

. ~/.bashrc

And then check the key

ssh-add -L

 

  • Moon 1
Link to comment
Share on other sites

An example of using the public key with Denarius NVS. Add the public key to be more public, go to your Denarius QT Wallet and at the debug console type

name_new ssh:buzzkillb "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRELbQ3izu+ckrwPgKTdmck89xrOaSv1Kp0vY1ShWYbjyALOvEL9Okd23bjzCcS3h/0t5R5HZs3Ej0cOpupa/Ls4E6DwFs7hC6bMjSdDu/I0490ONH6LOYWE5T5GCuuPNmMRBVX7mmCAXzUIkBFvimzspAIY+w2pkQ2bk+dOC+IMG70DsDPv54+LBm7IpgWth+wZLppacVYMgpARX38ounHU8pxEOxEodf5Vzx+jCxX7swYBM0Ujw+5+Kg+8c00oWB/6MM1mIdTepqH4hRIkw0AVMhEFqnC/qOrr4aZ9e8Bd5B27sTKwPlmX0oe7Uw46G72MZ6/bLc8qgjjIeIOzUj cardno:000613493497" 9999

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...