I finally got around to setting up my yubikey neo 4 keys. The idea (for my use) - is to use the device to store a GPG key - and enable touch (set to fix mode) - so I can ONLY access anything with SSH or decrypt/authenticate/sign anything with GPG - by touching the yubikey.
This protects against me (or my employees - who all get one) getting their workstation compromised, and using it to gain access to our company, or the companies we have remote access to (being sysadmins for many companies). The touch part - is what seperates this key, from nitrokey and other solutions. Typicly nitrokey etc. - just ends up always being in a USB port, and within the timeout (which is often rather high) - the device won't ask for the pin again - and anyone could jump through workstation - and into our or our customers servers without permissions :(
To avoid this, we want to add this "touch-only" access key - then the only way left, to hack into our, or our customers servers - via our employees workstations - is to do a sidechannel attack on an existing tcp session (which we ofcourse also try to protect ourselves against :)
For passwords and other secrets, we use passwordstore.org (wrapper for gpg - also has apps for android etc.) - and since yubikey has NFC support, we should also be able to use this setup with access through a mobile phone (IF we consider this wise.. :) - I haven't tested that yet though.
After working with a few guides, hitting enough "oddities", I figured I'd post a summary for myself and others :)
Start with getting your GPG key created with proper keylengts and modern signing algo's - see: https://github.com/drduh/YubiKey-Guide (note: config file entries and mode for yubikey is INCORRECT!)
But with gpg 2.1 + (which you MUST be using for this to work properly) - the ~/.gnupg/gpg.conf should look like this:
auto-key-locate keyserver keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-cipher-algo AES256 s2k-digest-algo SHA512 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint use-agent require-cross-certification
(get the netCA.pem - using above guide)
And setup gpg-agent correctly with this config: ~/.gnupg/gpg-agent.conf
#pinentry-program /usr/bin/pinentry-qt # enables SSH support (ssh-agent) enable-ssh-support #remote extra-socket /home/$youruser/.gnupg/S.gpg-agent-extra # default cache timeout of 600 seconds default-cache-ttl 600 max-cache-ttl 7200
NB. Remember to backup your GPG key to some offline storage (usb key or other).
Then get your yubi configured and transfer private key to it, by following: https://malcolmsparks.com/posts/yubikey-gpg.html (which uses the correct m86 mode for newer yubikeys).
To use your yubikey for ssh - you get the ssh public RSA of your gpg key by running:
gpg --export-ssh-key your-gpg-user-id
And that goes into ~/.ss/authorized_keys as usual.
And then to get ssh-agent forwarding using your yubikey, set this env:
and to do remote agent forwarding, you could use the script from here: https://www.isi.edu/~calvin/gpgagent.htm (called remote-gpg) - just run:
ssh -t -R $REMOTE_HOME/.gnupg/S.gpg-agent:$LOCAL_HOME/.gnupg/S.gpg-agent-extra $host
and with that - you can now use your yubikey for gpg and ssh operations remotely as well.