Configure Yubikey NEO with GPG and Pass
Table of Contents
Environment configuration
Debian stable (bookworm).
Software dependencies
Install requirements and configure gpg2 to be the default gpg:
sudo apt install libpam-yubico libyubikey-dev libyubikey0 python-yubico-tools yubikey-personalization gnupg gnupg-agent gnupg2 gpgv openssh-client gpgsm pcscd libccid pass
Uninstall gnome-keyring:
sudo apt remove libpam-gnome-keyring gnome-keyring
Xorg environment
This is a matter of preferences, I do no use a display manager and if you do you may want to tweak this to be used in your .xsession file instead.
Warning: this configuration allows a single state for your gpg-agent and ssh-agent (which is gpg-agent) throughout your window manager. This means that all applications may be able to access resources available using some keys after you have provided sufficient information for gpg-agent to use these keys. If you're not sure of what you're doing do not use my Xorg configuration.
.xinitrc
pkill -9 -u "$USER" -x gpg-agent
pkill -9 -u "$USER" -x ssh-agent
pkill -9 -u "$USER" -x xss-lock
pkill -9 -u "$USER" -x xscreensaver
xscreensaver -nosplash &> /dev/null &
xss-lock -- xscreensaver-command -lock &> /dev/null &
setxkbmap us # kbd layout preset
xmodmap ~/.Xmodmap # kbd styling
xrdb -merge ~/.Xresources # X styling
#xhost +SI:localuser:$USER # Disable access control
xsetroot -cursor_name left_ptr # Fallback cursor
xset r rate 200 60 # Keyboard repeat rate
# start the `notion' window manager
gpgconf --kill gpg-agent
exec dbus-launch --exit-with-session \
eval "$(gpg-agent \
--daemon \
--max-cache-ttl 720 \
--enable-ssh-support \
--max-cache-ttl-ssh 720 notion)"
.bashrc
export GNUPGHOME="$HOME"/.gnupg
if [ -f "${HOME}/.gnupg/gpg-agent.env" ]; then
source "${HOME}/.gnupg/gpg-agent.env"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
GPG_TTY=$(tty)
export GPG_TTY
export GNUPGHOME="$HOME/.gnupg"
Make yourself the owner of the Yubikey
eval $(lsusb -v | grep Yubi -A1 | egrep 'idVend|idProd' | awk '{ print $1"="$2 }')
echo SUBSYSTEM=="usb", ATTR{idVendor}=="$idVendor", ATTR{idProduct}=="$idProduct", OWNER="$USER" > /tmp/tmptmp
sudo cp -v /tmp/tmptmp /etc/udev/rules.d/50-yubikey.rules
sudo chown root.root /etc/udev/rules.d/50-yubikey.rules
rm /tmp/tmptmp
At this point you should restart Xorg:
pkill -u $USER
[...]
startx
Review gpg programs:
gpgconf --check-programs
Validate configuration
Smart card access
Verify you have sufficient privs to access the yubikey through gpg:
gpg --card-status
Gnupg agent wrapping
With this configuration your gpg-agent wraps your entire window manager.
This means that if you do add an ssh key to the agent from "$GPG_TTY", you will be able to access
it from "$GPG_TTY" if this respects the way you've configured your agent.
To test this behavior:
- Open a terminal
- Add an ssh key to the agent
ssh-add -i ~/.ssh/somekey
<feed password prompt>
- Verify you can use the key
ssh user@somehost-allowing-somekey-logins
- Open a second terminal
- Verify you can use the key without being prompted for password
ssh user@somehost-allowing-somekey-logins
Create GPG keys
Generate master key:
gpg --expert --gen-key
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 4
[...]
Generate sub-keys for Encryption, Signing, and Authentication:
gpg --expert --edit-key
gpg> addkey
Key is protected.
[...]
gpg> save
Optionally add your picture
gpg --edit-key <key-id>
addphoto
[...]
save
Configure your Yubikey
Resetting defaults
Optionally you may reset the status of your yubikey by doing this:
cat > /tmp/reset_yubikey<<EOF
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.
EOF
gpg-connect-agent -r /tmp/reset_yubikey
Test
List devices
ykneomgr -l
Configuration
Configure for HID/CCID with touch eject
ykneomgr -M 82
Configure key for OTP/U2F/CCID composite device with touch eject.
ykpersonalize -m 86
Default PINs
The default PIN is 123456 and the default admin PIN is 12345678.
To change the default admin PIN perform the following:
gpg --card-edit
admin
passwd
3
12345678
<confirm new admin PIN>
<confirm new admin PIN>
To change the default PIN
gpg --card-edit
admin
passwd
1
123456
<confirm new PIN>
<confirm new PIN>
Identification details
Your key stores personal information, to customize it follow these steps:
gpg --card-edit
admin
name
sex
lang
url
list
quit
Upload keys to GPG card
Backup keys
Backup keychain, primary keys, subkeys, and generate a revocation certificate for them:
mkdir -p ~/gpg_backup/{primary_keys,sub_keys,laptop_keys}
cp -r ~/.gnupg ~/gpg_backup/dot-gnupg-backup
gpg --armor --export <key-id> > ~/gpg_backup/primary_keys/public_key.gpg
gpg --armor --export-secret-key <key-id> > ~/gpg_backup/primary_keys/secret_key.gpg
gpg -a --export-secret-subkeys <key-id> > ~/gpg_backup/sub_keys/secret_subkeys.gpg
gpg --armor --gen-revoke <key-id> > ~/gpg_backup/primary_keys/recovation_cert.gpg
Upload your keys
gpg --expert --edit-key <key-id>
gpg> toggle
gpg> key 1
gpg> keytocard
Your selection? 1
gpg> key 1
gpg> key 2
gpg> keytocard
gpg> key 2
gpg> key 3
gpg> keytocard
gpg> save
Send your public key to keyserver
gpg --send-key <key-id>
Remove new keys from keyring
gpg --delete-secret-keys <key-id>
gpg --delete-key <key-id>
Import laptop keys:
gpg --import laptop_keys_public.gpg
gpg --import laptop_keys_secret.gpg
Trust your encryption key:
gpg --edit-key <key-id>
gpg> trust
5
Configure `pass'
pass init <key-id>
Comments
Comments powered by Disqus