mirrors
/
YubiKey-Guide
mirror of https://github.com/drduh/YubiKey-Guide
0
0
Fork 0
Code Releases Activity

Merge pull request #2 from drduh/master 

Merge upstream
pull/57/head
T.J. Simmons 2018-04-12 10:18:41 -05:00 committed by GitHub
parent 84174a76ec e772f61915
commit 31172d813f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -145,12 +145,9 @@ If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 f
## Install - macOS ## Install - macOS
You will need to install the following software: You will need to install [Homebrew](https://brew.sh/) and the following brew packages:
1. [Homebrew](https://brew.sh/) package manager $ brew install gnupg yubikey-personalization hopenpgp-tools
2. The following brew packages:
$ brew install gnupg yubikey-personalization
# Creating keys # Creating keys
@ -874,10 +871,7 @@ Paste the following text into a terminal window to create a [recommended](https:
auto-key-locate keyserver auto-key-locate keyserver
keyserver hkps://hkps.pool.sks-keyservers.net keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url keyserver-options no-honor-keyserver-url
keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url keyserver-options no-honor-keyserver-url
keyserver-options debug
keyserver-options verbose
personal-cipher-preferences AES256 AES192 AES CAST5 personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
@ -896,9 +890,9 @@ Paste the following text into a terminal window to create a [recommended](https:
require-cross-certification require-cross-certification
EOF EOF
To install the keyservers CA file: Ensure you change to correct rights of that file to at least avoid a warning message about incorrect file rights
$ sudo curl -s "https://sks-keyservers.net/sks-keyservers.netCA.pem" -o /etc/sks-keyservers.netCA.pem chmod 600 ~/.gnupg/gpg.conf
## Import public key ## Import public key
@ -1150,7 +1144,6 @@ Paste the following text into a terminal window to create a [recommended](https:
default-cache-ttl 60 default-cache-ttl 60
max-cache-ttl 120 max-cache-ttl 120
write-env-file write-env-file
use-standard-socket
EOF EOF
If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gnome3` to use a GUI manager. For macOS, try `brew install pinentry-mac`, and adjust the `pinentry-program` setting to suit. If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gnome3` to use a GUI manager. For macOS, try `brew install pinentry-mac`, and adjust the `pinentry-program` setting to suit.
@ -1162,7 +1155,7 @@ If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gn
Depending on how your environment is set up, you might need to add these to your shell `rc` file: Depending on how your environment is set up, you might need to add these to your shell `rc` file:
export GPG_TTY="$(tty)" export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent gpgconf --launch gpg-agent
**Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with: **Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with:
@ -1172,7 +1165,6 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye gpg-connect-agent updatestartuptty /bye
``` ```
### Copy public key to server ### Copy public key to server
There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file: There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file:
@ -1180,6 +1172,21 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden
$ ssh-add -L $ ssh-add -L
ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211 ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211
#### (Optional) Save public key for identity file configuration
If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis.
In the case of Yubikey usage, you do not have access to the private key, and `identity_file` can be pointed to the public key (`.pub`).
$ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub
Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows:
$ cat << EOF >> ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_rsa_yubikey.pub
EOF
### Connect with public key authentication ### Connect with public key authentication
$ ssh git@github.com -vvv $ ssh git@github.com -vvv