yubikey with touch and gpg+ssh local and remote operation

I finally got around to setting up my yubikey neo 4 keys. The idea (for my use) - is to use the device to store a GPG key - and enable touch (set to fix mode) - so I can ONLY access anything with SSH or decrypt/authenticate/sign anything with GPG - by touching the yubikey.

This protects against me (or my employees - who all get one) getting their workstation compromised, and using it to gain access to our company, or the companies we have remote access to (being sysadmins for many companies). The touch part - is what seperates this key, from nitrokey and other solutions. Typicly nitrokey etc. - just ends up always being in a USB port, and within the timeout (which is often rather high) - the device won't ask for the pin again - and anyone could jump through workstation - and into our or our customers servers without permissions :(

To avoid this, we want to add this "touch-only" access key - then the only way left, to hack into our, or our customers servers - via our employees workstations - is to do a sidechannel attack on an existing tcp session (which we ofcourse also try to protect ourselves against :)

For passwords and other secrets, we use passwordstore.org (wrapper for gpg - also has apps for android etc.) - and since yubikey has NFC support, we should also be able to use this setup with access through a mobile phone (IF we consider this wise.. :) - I haven't tested that yet though.

After working with a few guides, hitting enough "oddities", I figured I'd post a summary for myself and others :)

Start with getting your GPG key created with proper keylengts and modern signing algo's - see: https://github.com/drduh/YubiKey-Guide (note: config file entries and mode for yubikey is INCORRECT!)

But with gpg 2.1 + (which you MUST be using for this to work properly) - the ~/.gnupg/gpg.conf should look like this:

auto-key-locate keyserver
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-cipher-algo AES256
s2k-digest-algo SHA512
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
use-agent
require-cross-certification

and .gnupg/dirmngr.conf

hkp-cacert /etc/sks-keyservers.netCA.pem

(get the netCA.pem - using above guide)

And setup gpg-agent correctly with this config: ~/.gnupg/gpg-agent.conf

#pinentry-program /usr/bin/pinentry-qt

# enables SSH support (ssh-agent)
enable-ssh-support

#remote
extra-socket /home/$youruser/.gnupg/S.gpg-agent-extra
# default cache timeout of 600 seconds
default-cache-ttl 600
max-cache-ttl 7200

NB. Remember to backup your GPG key to some offline storage (usb key or other).

Then get your yubi configured and transfer private key to it, by following: https://malcolmsparks.com/posts/yubikey-gpg.html (which uses the correct m86 mode for newer yubikeys).

To use your yubikey for ssh - you get the ssh public RSA of your gpg key by running:

gpg --export-ssh-key your-gpg-user-id

And that goes into ~/.ss/authorized_keys as usual.

And then to get ssh-agent forwarding using your yubikey, set this env:

export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

and to do remote agent forwarding, you could use the script from here: https://www.isi.edu/~calvin/gpgagent.htm (called remote-gpg) - just run:

ssh  -t -R $REMOTE_HOME/.gnupg/S.gpg-agent:$LOCAL_HOME/.gnupg/S.gpg-agent-extra  $host

and with that - you can now use your yubikey for gpg and ssh operations remotely as well.

0 comments on yubikey with touch and gpg+ssh local and remote operation