Yubikey

In the past year I've taken steps to increase security on some of my accounts and machines. One of these measures was to protect my network with public key authentication and two-step verification with TOTP (Google Authenticator). It was easier than I had feared to set up the two-step via Linux PAM. Logging in thus does require having my phone available and then unlocking, launching an app, and entering the code.

Yubikey is a hardware authentication device, with a form factor similar to that of a small USB flash drive. It supports a number of different protocols, including U2F to replace one time codes with a direct message with the site. What interested me the most was as a secure place to keep SSH keys. Keys sitting on disk can potentially be taken and need long passwords to keep secure. With a Yubikey the private key can remain locked away, only usable with the device present, a PIN, and optionally contact with the device (to prevent remote exploitation).

There are a couple of ways to create keys that can be used for SSH: PIV and OpenPGP. I've had issues with GPG in the past and it seemed likely to require replacing ssh-agent, so I thought I'd first try PIV, or Personal Identity Verification. At work I use a smart card that meets the same standard and it works with standard SSH components combined with opensc software. The syntax is a little odd, requiring the full path to the smart card library.

ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <host>

ssh-agent is able to cache and forward but plugging and unplugging the Yubikey can cause issues. At times a flush of ssh-agent or a restart of GNOME Keyring fixes the issue. Reading more about the higher encryption standards available through PGP, and that Chrome OS has support for smart cards in the built-in SSH app, I decided to try PGP as well. Creating keys and subkeys was fairly quick with reasonable defaults to most of the prompts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Create GPG key
gpg --gen-key

# Create subkey on Yubikey
gpg addcardkey

# Get PGP Yubikey applet information
gpg --card-status

# Get an SSH format public key
gpg --export-ssh-key <key>

There are rather vociferous arguments about the interactions between GNOME Keyring and gpg-agent. Keyring has generally worked well for me but it does not show the card-based subkeys at all. Switching the SSH agent socket to GPG agent provides a very seamless experience with card removal and insertion. Keyring does not fully support smart card authentication so I first created an alias to switch the SSH agent socket on the fly, before just permanently disabling the ssh-agent functionality of the Keyring, after which gpg automatically took over. Other keys can still be loaded on-the-fly.

1
2
3
4
5
6

# Use gpg-agent for SSH agent
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

# Disable GNOME Keyring ssh-agent
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop