yubikey.html

  1<!DOCTYPE html>
  2<html lang="en">
  3<head>
  4<!-- Oct 07, 2022 -->
  5<meta charset="utf-8" />
  6<meta name="viewport" content="width=device-width, initial-scale=1" />
  7<title>Yubikey setup on Linux</title>
  8<meta name="author" content="Vincent Demeester" />
  9<meta name="keywords" content="article" />
 10<meta name="generator" content="Org Mode" />
 11<link rel='icon' type='image/x-icon' href='/images/favicon.ico'/>
 12<meta name='viewport' content='width=device-width, initial-scale=1'>
 13<link rel='stylesheet' href='/css/new.css' type='text/css'/>
 14<link rel='stylesheet' href='/css/syntax.css' type='text/css'/>
 15<link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' />
 16</head>
 17<body>
 18<main id="content" class="content">
 19<header>
 20<h1 class="title">Yubikey setup on Linux</h1>
 21<p class="subtitle" role="doc-subtitle">Trying to use yubikey to its full potential on Linux</p>
 22</header><p>
 23A YubiKey is a hardware authentication device that can be used for various one-time
 24password (OTP) and authentication methods. This article explains how I setup my yubikey
 25and operating system (most likely only different GNU/Linux distribution) for it.
 26</p>
 27
 28<p>
 29The goal is to use the yubikey for:
 30</p>
 31<ul class="org-ul">
 32<li>GnuPG subkeys for signing and encrypting</li>
 33<li>Main SSH key (using <code>gpg-agent</code>, …)</li>
 34<li>Dual authentication using OTP (time-based, event-based)</li>
 35</ul>
 36
 37<p>
 38The yubikey manual<sup><a id="fnr.1" class="footref" href="#fn.1" role="doc-backlink">1</a></sup> (at least the version that seem to refer the yubikey neo I have)
 39is the base read but there is plenty of useful article on the subject. This is also based
 40on my usage of the yubikey, so it might vary from your usage.
 41</p>
 42
 43<section id="outline-container-h:168c7019-2c6b-4872-84d2-7535a3a38f91" class="outline-2">
 44<h2 id="h:168c7019-2c6b-4872-84d2-7535a3a38f91"><span class="todo TODO">TODO</span> GnuPG</h2>
 45<div class="outline-text-2" id="text-h:168c7019-2c6b-4872-84d2-7535a3a38f91">
 46<p>
 47Some assumptions are made in this section:
 48</p>
 49
 50<ul class="org-ul">
 51<li>You know a tiny bit of GnuPG and the <code>gpg</code> command (at least the basics)</li>
 52<li>You have a backup of your GnuPG configuration (usually <code>$HOME/.gnupg</code>) — just in case 👼</li>
 53<li>You have an existing GnuPG key (private/public)</li>
 54</ul>
 55
 56<p>
 57We are going to use GnuPG subkeys (for security, as we won&rsquo;t have the <i>master</i> key
 58anywhere on the machines, only offline). If you are interested in how it works and how to
 59configure it, here is a <a href="https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/">guide</a>. The following is a mere <i>rip-off</i> of the yubikey developer
 60article : <a href="https://developers.yubico.com/PGP/Importing_keys.html">Importing keys</a>.
 61</p>
 62
 63<p>
 64Let&rsquo;s first see if our gpg version supports our yubikey.
 65</p>
 66
 67<div class="org-src-container">
 68<pre class="src src-shell">$ gpg-connect-agent --hex <span class="org-string">"scd apdu 00 f1 00 00"</span> /bye
 69D[0000]  01 00 05 90 00                                     .....
 70OK
 71</pre>
 72</div>
 73
 74<p>
 75We need to have our secret key on the machine we are using to setup the yubikey. Once the
 76setup is done, we will reset the <code>.gnupg</code> so that the machine doesn&rsquo;t have the main key
 77(or even the subkey for that matter).
 78</p>
 79
 80<div class="org-src-container">
 81<pre class="src src-shell">$ gpg --list-secret-keys
 82<span class="org-comment-delimiter"># </span><span class="org-comment">[&#8230;]</span>
 83--------------------------------
 84sec   rsa2048 2013-05-19 [SC]
 85      8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA
 86uid           [ultimate] Vincent Demeester (vdemeester) <a href="mailto:vincent%40demeester.fr">&lt;vincent@demeester.fr&gt;</a>
 87uid           [ultimate] Vincent Demeester <a href="mailto:vincent%40sbr.pm">&lt;vincent@sbr.pm&gt;</a>
 88uid           [ultimate] Vincent Demeester <a href="mailto:vdemeest%40redhat.com">&lt;vdemeest@redhat.com&gt;</a>
 89uid           [ultimate] [jpeg image of size 4711]
 90ssb&gt;  rsa2048 2013-05-19 [E]
 91ssb   rsa4096 2019-04-07 [S] [expires: 2022-04-06]
 92ssb&gt;  rsa2048 2019-07-02 [S]
 93ssb&gt;  rsa2048 2019-07-02 [A]
 94</pre>
 95</div>
 96</div>
 97</section>
 98
 99
100
101<section id="outline-container-h:55406d2f-0f1f-4ef7-9ec1-634d9fcaaedc" class="outline-2">
102<h2 id="h:55406d2f-0f1f-4ef7-9ec1-634d9fcaaedc"><span class="todo TODO">TODO</span> SSH</h2>
103<div class="outline-text-2" id="text-h:55406d2f-0f1f-4ef7-9ec1-634d9fcaaedc">
104<p>
105We are using a GnuPG key as ssh key, and we are storing this into the yubikey (in the
106<code>Authentication Key</code> slot).
107</p>
108</div>
109</section>
110
111<section id="outline-container-h:f3ecbc48-0c51-4dcd-b075-0575b06fff7b" class="outline-2">
112<h2 id="h:f3ecbc48-0c51-4dcd-b075-0575b06fff7b"><span class="todo TODO">TODO</span> Dual authentication</h2>
113<div class="outline-text-2" id="text-h:f3ecbc48-0c51-4dcd-b075-0575b06fff7b">
114</div>
115</section>
116
117<section id="outline-container-h:8398bd8f-12ca-4167-84ae-6c9a63aa41e6" class="outline-2">
118<h2 id="h:8398bd8f-12ca-4167-84ae-6c9a63aa41e6"><span class="todo TODO">TODO</span> Some more automation</h2>
119<div class="outline-text-2" id="text-h:8398bd8f-12ca-4167-84ae-6c9a63aa41e6">
120</div>
121</section>
122
123<section id="outline-container-h:ec8f52e7-9b54-42da-95f8-ff5c44445118" class="outline-2">
124<h2 id="h:ec8f52e7-9b54-42da-95f8-ff5c44445118">References</h2>
125<div class="outline-text-2" id="text-h:ec8f52e7-9b54-42da-95f8-ff5c44445118">
126<ul class="org-ul">
127<li><a href="https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora">https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora</a></li>
128<li><a href="https://fedoraproject.org/wiki/Infrastructure/Yubikey">https://fedoraproject.org/wiki/Infrastructure/Yubikey</a></li>
129<li><a href="https://fedoramagazine.org/using-the-yubikey4-with-fedora/">https://fedoramagazine.org/using-the-yubikey4-with-fedora/</a></li>
130<li><a href="https://developers.yubico.com/PGP/Importing_keys.html">https://developers.yubico.com/PGP/Importing_keys.html</a></li>
131<li><a href="https://developers.yubico.com/">https://developers.yubico.com/</a></li>
132<li><a href="https://github.com/fedora-infra/ssh-gpg-smartcard-config/">https://github.com/fedora-infra/ssh-gpg-smartcard-config/</a>
133<ul class="org-ul">
134<li><a href="https://github.com/fedora-infra/ssh-gpg-smartcard-config/blob/master/Linux.md">https://github.com/fedora-infra/ssh-gpg-smartcard-config/blob/master/Linux.md</a></li>
135</ul></li>
136<li><a href="https://www.gnupg.org/gph/en/manual/x110.html">https://www.gnupg.org/gph/en/manual/x110.html</a></li>
137<li><a href="https://github.com/cornelinux/yubikey-luks">https://github.com/cornelinux/yubikey-luks</a></li>
138<li><a href="https://rzetterberg.github.io/yubikey-gpg-nixos.html">https://rzetterberg.github.io/yubikey-gpg-nixos.html</a></li>
139<li><a href="https://github.com/drduh/YubiKey-Guide">https://github.com/drduh/YubiKey-Guide</a></li>
140<li><a href="https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/">https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/</a></li>
141<li><a href="https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS">https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS</a></li>
142<li><a href="https://suchsecurity.com/gpg-and-ssh-with-yubikey-on-windows.html">https://suchsecurity.com/gpg-and-ssh-with-yubikey-on-windows.html</a></li>
143<li><a href="https://codingnest.com/how-to-use-gpg-with-yubikey-wsl/">https://codingnest.com/how-to-use-gpg-with-yubikey-wsl/</a></li>
144<li><a href="https://metebalci.com/blog/using-u2f-at-linux-login/">https://metebalci.com/blog/using-u2f-at-linux-login/</a></li>
145<li><a href="https://0day.work/locking-the-screen-when-removing-a-yubikey/">https://0day.work/locking-the-screen-when-removing-a-yubikey/</a></li>
146<li><a href="https://gist.github.com/jhass/070207e9d22b314d9992">https://gist.github.com/jhass/070207e9d22b314d9992</a></li>
147<li><a href="https://wiki.realmofespionage.xyz/distros:fedora_workstation_gnome">https://wiki.realmofespionage.xyz/distros:fedora_workstation_gnome</a></li>
148</ul>
149</div>
150</section>
151<div id="footnotes">
152<h2 class="footnotes">Footnotes: </h2>
153<div id="text-footnotes">
154
155<div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1" role="doc-backlink">1</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
156<a href="https://www.yubico.com/wp-content/uploads/2015/03/YubiKeyManual_v3.4.pdf">https://www.yubico.com/wp-content/uploads/2015/03/YubiKeyManual_v3.4.pdf</a>
157</p></div></div>
158
159
160</div>
161</div></main>
162<footer id="postamble" class="status">
163<footer>
164     <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/>
165     <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/>
166     <small class='copyright'>
167      Content and design by Vincent Demeester
168      (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>)
169    </small><br />
170</footer>
171</footer>
172</body>
173</html>