Setting up Yubikey+GnuPG on Debian/Jessie

6 Apr

The following steps were successful for me when setting up the Yubikey GnuPG (and ssh authentication through GnuPG) on Debian Jessie running the MATE window manager.

Start by installing the necessary packages

$ sudo apt-get install gnupg-agent scdaemon pcscd pcsc-tools dconf-editor

Change the GnuPG config files to use the gpg-agent with ssh support

$ echo “use-agent” >> .gnupg/gpg.conf
$ echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

  • As the ordinary user, start the dconfig-editor
  • Press ctrl-f and search for gnome-compat-startup (in org/mate/desktop/session/gnome-compat-startup)
  • Change the value to ‘smproxy’ (remove ‘keyring’)

Add an udev rule to make sure that the user can access the Yubikey

I didn’t get the udev rule enabling access for the console user (below) to work reliably – the device failed to keep its settings after the screensaver kicked it so we’ll skip that for no (needs more investigation).

# cat > /etc/udev/rules.d/99-yubikeys.rules
SUBSYSTEMS==”usb”, ATTRS{idVendor}==”1050″, ATTRS{idProduct}==”0407″, TAG+=”uaccess”

Instead I’m relying on the plugdev group method which seems to work fine (just make sure that you are a member of plugdev, which can be cheked with id::

# cat > /etc/udev/rules.d/99-yubikeys.rules
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"

Logout and and login again. gpg2 –card-status  should now work fine!

Resources used for this post:

https://wiki.debian.org/Smartcards/YubiKey4
https://wiki.debian.org/Smartcards/OpenPGP