Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can use a GPG key stored on a YubiKey with openssh, but with some caveats:

1. gpg-agent must act as your ssh-agent (which means ssh-agent should be disabled and replaced by gpg-agent).

2. If using `pinentry-curses` (YubiKey usually permits access to the contained GPG key via the use of a pin), you must have `export GPG_TTY=$(tty)` (or your shell's equivalent of setting the GPG_TTY environment value to the output of `tty`).

3. You can fetch the public key of your GPG key with `ssh-add -L` (gpg-agent must be acting as your ssh-agent, and the YubiKey with the GPG key has to be plugged in).

4. You must have the line `enable-ssh-support` in your `$GNUPGHOME/gpg-agent.conf`.

I used a guide[1] to set up a GPG key on to a YubiKey, and for those who don't want to use GPG, the guide also has a section[2] about just using an SSH key as well.

[1]: https://github.com/drduh/YubiKey-Guide

[2]: https://github.com/drduh/YubiKey-Guide#ssh



I am using this setup for a while now and would like to tell everyone about an advantage in contrast to the 'resident key': You can push a single, identical key to two YubiKeys, making it easier to recover.

Resident keys are (partially?) created on the hardware token and thus can't be replicated. The GPG keys can be pushed to a couple of YubiKeys before you delete them forever (or keep a paper backup somewhere safe).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: