Yubikey4 and gpg-agent

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Using the Yubikey4 for ssh key generation and storage as well as one-time-password generation. There are a ton of guides to a ton of subtly different methods of doing basically this, I mean only to provide a simple explanation of what worked for me.

Use gpg-agent instead of ssh-agent

Disable ssh-agent if it is running. Use the script provided, which is essentially keychain but for gpg-agent. I put it in .bashrc rather than .xsession:

 if test -f $XDG_RUNTIME_DIR/gpg-agent-info && kill -0 $(head -n 1 $XDG_RUNTIME_DIR/gpg-agent-info | cut -d: -f2) 2>/dev/null ; then
     eval $(< $XDG_RUNTIME_DIR/gpg-agent-info)
 else
     eval $(gpg-agent --daemon --enable-ssh-support --write-env-file $XDG_RUNTIME_DIR/gpg-agent-info)
 fi
 export GPG_AGENT_INFO
 export SSH_AUTH_SOCK

Caution: Does not work in GnuPG 2.1+ due to this change.

Generate an authentication key

I used the method described in this blog post to generate the authentication subkey on the Yubikey itself:

 $ gpg2 --edit-key YOURKEY
 gpg> addcardkey

Select authentication, provide expiry, create the key, and save. gpg2 -K should show the new key, and gpgkey2ssh AUTHKEY should provide a version for suitable authorized_keys. First access of the key will present a box for the PIN. After that PIN-less access and OTP generation should work until it is unplugged. I did not have to install any smart card related utilities for this to work as expected.

I found that despite being generated on the Yubikey the authentication private key remained on my local keychain. Removing it did not affect ssh behavior.