SSH with GPG via Yubikey⚓︎
Establish authentication with GPG between a Windows client and a Linux server via yubikey.
Requirements⚓︎
- Yubikey with OpenPGP capability
- Gpg4win - GPG agent for Windows
- kleopatra - Graphical interface for key management
- [optional] Pageant if you want to use PuTTY - PuTTY's agent
- SSH server with configued firewall
Sources⚓︎
- Yubico - SSH Authentication to GitHub Using a YubiKey on Windows
- Yubico - Using Your YubiKey with OpenPGP
- My dad's notes
Guide⚓︎
Key management on Windows⚓︎
:: Arguments: name, algorythm, use, expiration
gpg --quick-generate-key name@address.com ed25519 auth never
Do NOT choose to save the changes
It will destroy the key on your computer, and it can't be retrieved from the Yubikey.
gpg --edit-key name@address.com
keytocard
:: Enter Q to exit
:: Do NOT save when prompted to, it will destroy the key on your computer !
We need to export the public key in SSH format in order to store it on the server. The easiest way is to use Kleopatra.
Open Kleopatra. The generated key should appear on the main tab. If it isn't there, click on Certificates at the top and Refresh certificates. Double click on the certificate and, in the newly opened window, click on the Subkeys tab. There, you can right-click on the key to export it as an OpenSSH key.
Lastly, the GPG agent needs to be restarted to take the key into account. You can put the following in the C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\ folder so it would be executed on login.
| GPG_Starter.bat | |
|---|---|
Here is another version that launches PuTTY:
| launcher.bat | |
|---|---|
PuTTY configuration
If you're using PuTTY, make sure that Attempt authentication using Pageant is checked in Connection > SSH > Auth
Key management on Linux⚓︎
In your session, paste the previously exported key on a new line in .ssh/authorized_keys.
Debug⚓︎
If needed, logs can be viewed rapidly with the following command: