-
-
Notifications
You must be signed in to change notification settings - Fork 9
YuibKey GPG SSH
This is a collection of miscellaneous information I have collated in order to get my YubiKey working in Windows how I like it.
This assumes drduh's YubiKey Guide was used in order to setup the YubiKey.
With a fresh copy of Windows 11, upon inserting the YubiKey it will automatically work with SSH however GPG will require a bit of fiddling.
Open an MSYS2 terminal window to begin.
Check to see if the card is already recognized:
gpg --card-status
🚧 WARNING
If you receive an error regarding the scdaemon version you will need to kill the current gpg-agent and try again.
Initialize the trust database.
gpg --list-keys
Import your public key either from a file or from the internet (keyserver).
gpg --import public.asc
or
gpg --recv 0x1F125B5425110CCE
You should see something similar to the following upon importing the key:
gpg: key 0x1F125B5425110CCE: public key "kyau <kyau@kyau.net>" imported
gpg: Total number processed: 1
gpg: imported: 1
Edit the local trust database to ultimately trust your key.
gpg --edit-key 0x1F125B5425110CCE
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit
Once you have ultimately trusted your gpg key you can do a test encryption.
echo "test message, hello future self!" | gpg --encrypt --armor --recipient 0x1F125B5425110CCE -o encrypted.txt
One can verify it was encrypted by viewing the file:
cat encrypted.txt
Proceed to the decryption test:
gpg --decrypt --armor encrypted.txt
If you receive an message saying to enter the key with a different serial number, that means the current key is the backup or secondary YubiKey. This is fine you will just have to force gpg to use the current serial number for all functions instead of the primary. If you ever switch back to the primary key just use this command again.
gpg-connect-agent "scd serialno" "learn --force" /bye
Run the decryption command again to finally get a successful decryption.
Check to make sure the ssh-agent is picking up the key from your YubiKey with the following:
ssh-add -L
Open up the file ~/.ssh/config
in an editor and add the following at the bottom:
Host *.kyaulabs *.kyaulabs.com
Port 4222
ForwardAgent yes
StreamLocalBindUnlink yes
RemoteForward /home/kyau/.gnupg/S.gpg-agent /c/Users/Kyau/.gnupg/S.gpg-agent.extra
Now provided AllowAgentForwarding
and StreamLocalBindUnlink
is set to yes
in the remote machines /etc/ssh/sshd_config
then forwarding for GPG and SSH should now be working for all hosts listed in the above filter (edit to your liking).
To verify SSH to a machine included in the above filter then execute the following commands:
gpg --list-keys
ssh-add -L
If you still have issues with GPG not forwarding correctly, connect to the remote machine and kill any currently running gpg-agent
and then wipe all existing sockets.
killall gpg-agent
rm ~/.gnupg/S.*