Setting up OpenPGP on a YubiKey & using it for SSH-Login on Linux servers

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
As you may know, the Yubikey is a small device with a lot of features also including support for gpg keys and the abillity to be used for ssh-login into remote servers.
In this tutorial I will provide step-by-step instructions on how to accomplish that.
When beeing finished, the private keys will be on the Yubikey and you will only be able to login with this key. The keys therefore cannot be stolen even if you are hacked.

Lets get started. Everything you need to type is bold, everything you need to change depending on your setup is marked red. Screenshots are in german language, but I guess you can figure out the important stuff.

For a better understanding of KEY_ID:
KEY_ID is the main key with all subkeys in it
KEY_ID_1 is the first subkey, used for signing
KEY_ID_2 is used for the subkey encryption
KED_ID_3 is used for the subkey authentication

You may type gpg --list-keys, they will each have letters \[C\], \[S\], \[E\], \[A\] wich are the exact same order as above.
  1. Download & install GPG4Win https://www.gpg4win.org/download.html
  2. Create Keys from Powershell - type in the following commands and make personal choices if asked
    • gpg --expert --full-gen-key
      powershell_UfONrBXiYp.png
    • choose RSA, choise 8
    • choose Cert only
    • set 2048 or 4096 as length
    • set a passphrase
    • gpg --expert --edit-key KEY_ID
      powershell_bqVRpI2cN8.png
    • We will add three subkeys, one at a time for Sign, Verify and Encrypt (so do the following three times)
    • addkey
      powershell_uPucnbspE2.png
      powershell_j28DhQkK7Z.png
      powershell_RIA1LAfEwD.png
      powershell_F5AsqkYBgn.png
    • Choose Auth, Sign, Encrypt seperatly
    • choose length of 2048
    • When done creating the three subkeys, hit save
  3. Backup secret keys
    powershell_sDsqbd9f4H.png
    powershell_1x1CWEZA3b.png
    • gpg --export-secret-key --armor KEY_ID > cert.KEY_ID.key
    • For exporting the subkeys, please note the ! behind the KEY_ID
    • gpg --export-secret-subkeys --armor KEY_ID_1! > sign.KEY_ID.key
    • gpg --export-secret-subkeys --armor KEY_ID_2! > encr.KEY_ID.key
    • gpg --export-secret-subkeys --armor KEY_ID_3! > auth.KEY_ID.key
  4. Save the ssh-key - you can always generate it later using the public key
    • gpg --export-ssh-key KEY_ID > ssh.KEY_ID.pem
    • You may want to upload your public key to a keyserver so you can always get a hold of it or share it
    • gpg --keyserver hkp://pool.sks-keyservers.net --send-keys KEY_ID
  5. Lastely we need to save the revoke-key to make sure we can invalidate the certificate once we lost it or dont use it any longer - copy the KEY_ID.rev from %appdata%\gnupg\openpgp-revocs.d\ to the location where you have the other keys backed up
  6. Move your keys to the Yubikey - make sure it is plugged in by now.
    powershell_cZpD1aKc04.png
    • gpg --expert --edit-key
    • key KEY_ID_1
    • keytocard
    • key KEY_ID_1
    • key KEY_ID_2
    • keytocard
    • key KEY_ID_2
    • key KEY_ID_3
    • keytocard
    • key KEY_ID_3
    • save
  7. Change your card pin and admin pin and reset phrase - make sure you don't loose them! You will need the Pin every time you want to ssh into a server later. We will also edit some stuff as Cardholder name, sex and so on. That is not needed though
    powershell_ElDxYfjUfi.png
    • gpg --expert --card-edit
    • admin
    • name
    • sex
    • lang
    • passwd
    • quit
  8. Get Putty ready to accept GPG4Win - Check the Box "Attempt authentication using Pageant" in Connection-SSH-Auth (of course thats all in Putty)
  9. Open Kleopatra (it got installed with GPG4Win)
    • open Settings - Setup Kleopatra - GnuPG-System - Secret keys
    • tick the boxes SSH-Support enable, PuTTY-Support enable
  10. There is one inconvinience with the entire setup - we need a service running when we want to ssh into a server and use our Yubikey. Its called gpg-connect-agent.exe. You can either start it every time you need it, manually or you just create a shortcut and move it into your autostart directory so it automatically starts up every time with windows. Also, when you have troubles, simply restart the program.j
    • create a shortcut to "C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye
    • move it to your autostart in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" or start it manually - your choice
  11. Testing time ;)
    • upload the content of your ssh.KEY_ID.pem to the authorized_keys file on your linux server
    • it is located it the user directory -> .ssh/authorized_keys
    • now lets test the connection - therefore, login to the ssh server - it should ask you to enter the pin for your smartcard (your YubiKey), enter and you're in ;)
    • if you encounter any problems feel free to reply and I think we should get it working
  12. After making sure you have a backup of your keys, its time to delete the private key from your computer so only the Yubikey has it now.
    • gpg --delete-secret-key KEY_ID
    • If you want to, you may also delete your public key - thats not needed though
    • gpg --delete-key KEY_ID

Some more screenshots can be found in the second post.
 
Last edited:

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
Due to some restrictions of 10 uploads/post of some supid admin (*cough* @Supervisor ) I hereby post the screenshots of the config and the working demonstration
kleopatra_UYqp2PO38Y.png
putty_9ykRE8Yw27.png

Your pin gets requested:
putty_Lf55Z460Z0.png
And you're in ;)
putty_IlyJpaGDKe.png
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
@Supervisor firstly, AMAZING tutorial and great work!
To ensure that the only way to log in is by using your YubiKey we recommend disabling password login on your SSH server.

From https://developers.yubico.com/PGP/SSH_authentication/

I think disabling password login is simple, can you add those to the instructions up top? If I missed you already doing this - sorry. :)

nano /etc/ssh/sshd_config will open your configs.

Now we can disallow passwords via PasswordAuthentication no

Here are some additional secure settings to investigate and should maybe be turned on:
Code:
PermitRootLogin no
UsePAM no
ChallengeResponseAuthentication no

Lastly, rebooting sshd will be required. Rest calmly at nighttime knowing all the Chinese bots in the world can be hammering away with RandomPasswords123 and never have a single chance.

The root user should not be able to directly login because a unique user should be created instead, consider making a sudo user instead of having exactly root access. Monitoring who is doing what is simpler.
 
Last edited:

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
I think disabling password login is simple, can you add those to the instructions up top? If I missed you already doing this - sorry. :)
It is very simple, indeed - however I did not include it on purpose. I'm just using this method of login for like one week - therefore I have to gain a little more trust to make it the only method to login. I will inlcude it though.
 
Top