GPG authentication keys
For this doc we create a new ed25519 GPG key on the yubikey together with a GPG authentication subkey. This subkey can then be used to authenticate via ssh. All you need for that is a running gpg-agent, which acts as a ssh-agent in this special case.
At the end of the document you will find also some words about FIDO2 keys and why we are not using them here.
To use this feature, you need a yubikey with OpenPGP support. These are the yubikeys of series 4 and 5, but not the Bio and Security Key series. Here you can find an overview of the functionality of the different yubikeys.
Setup your yubikey
First of all, you need some tools installed:
Now you should change the default PINs, if not already done:
You can now change PIN (default: 123456) and Admin PIN (default: 12345678).
In the next step we configure our yubikey to create ECC keys instead of RSA. At first glance it seems confusing that you enter the same things three times - but this is for three different keys. So don’t get confused:
Select always the ECC or the Curve option. Now we can create the actual keys. And no, we don’t want to have off-card backups. If you have multiple yubikeys, it could be a good idea to add some infos in the comment section:
Okay, that’s it on the yubikey side. We can now leave the card editor by pressing
To make use of the authentication key you have to configure the gpg-agent first. Edit
The location of the pinentry tool could be different - depending on you MacOS version. Now we can kill all ssh-agent process and start our gpg-agent:
Now you should see your ssh public key in your “ssh-agent”:
You can now move your ssh public key to your linux hosts and connect with your yubikey plugged in. From time to time you will be asked for your PIN, but this time the PIN is cached! :)
Different keys for different yubikeys
It’s possible to create the GPG key with the gpg-tools on your local system and copy the same key to different yubikeys (via keytocard) to have backup yubikeys.
Even if it’s not possible to extract GPG keys from HW SCs like yubikeys, you will block your yubikey when you lost it. And if you have the same GPG key on all of your yubikeys, you will also lock out your backup yubikey.
Most of the applications outside also support multiple ssh keys and gpg keys, e.g.:
So to have backup yubikeys, you can just add multiple ssh or gpg keys to the services and repeat the steps above for all of your yubikeys.
Why FIDO2 isn’t an option
With the latest versions of openssh it’s possible to generate FIDO2 based ssh keys. They are already pretty good adopted and work e.g. for ubuntu 20.04 or later.
The problem with such keys is the way you have to authenticate - each time you connect via ssh to a server, you have to confirm your presence, means you have to touch the yubikey. Every time you connect.
Example: If you want to connect to three different servers, you have to touch your yubikey three times. If you connect to them via a jumphost, you have to touch your yubikey six times! There is no caching available.
I also tried to create ssh keys that don’t require the presence confirmation, but these keys are not accepted by a default ssh server configuration nor for authentication to github.com.
You can also add an option to require verification, but that just asks to insert a PIN in addition (which is also not cacheable)
I tried the same with ssh keys generated directly on the yubikey - it’s exactly the same behaviour as described for the standalone keys:
So I didn’t find a way to have some kind of caching for the presence detection, which makes the whole usage a bit of frustrating.