Setting up Yubikey+GnuPG on Debian/Jessie

6 Apr

The following steps were successful for me when setting up the Yubikey GnuPG (and ssh authentication through GnuPG) on Debian Jessie running the MATE window manager.

Start by installing the necessary packages

$ sudo apt-get install gnupg-agent scdaemon pcscd pcsc-tools dconf-editor

Change the GnuPG config files to use the gpg-agent with ssh support

$ echo “use-agent” >> .gnupg/gpg.conf
$ echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf

  • As the ordinary user, start the dconfig-editor
  • Press ctrl-f and search for gnome-compat-startup (in org/mate/desktop/session/gnome-compat-startup)
  • Change the value to ‘smproxy’ (remove ‘keyring’)

Add an udev rule to make sure that the user can access the Yubikey

I didn’t get the udev rule enabling access for the console user (below) to work reliably – the device failed to keep its settings after the screensaver kicked it so we’ll skip that for no (needs more investigation).

# cat > /etc/udev/rules.d/99-yubikeys.rules
SUBSYSTEMS==”usb”, ATTRS{idVendor}==”1050″, ATTRS{idProduct}==”0407″, TAG+=”uaccess”

Instead I’m relying on the plugdev group method which seems to work fine (just make sure that you are a member of plugdev, which can be cheked with id::

# cat > /etc/udev/rules.d/99-yubikeys.rules
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"

Logout and and login again. gpg2 –card-status  should now work fine!

Resources used for this post:

Securing SSH with GnuPG

4 Apr

I recently deleted all of my SSH private keys (which felt strange!), turning to GnuPG based authentication with the Yubikey instead.

On a Ubuntu 14.04 installation (one of my development platforms) I needed to take the following steps to make this work. For a more modern release, parts of this information is probably redundant, I’ll make corrections as I install Debian Jessie on another server. Continue reading

Just got myself a Yubikey

3 Apr

So I finally decided that it was time to beef up security over my private network spanning some 14 machines (ranging from VPSes to Raspberry Pis).

I settled on the concept of a hardware token and after some googling I landed on the Yubico site. So the Yubikey 4 seemed to offer was I was looking for in a reasonable price range:

  • OTP authentication (verified either through the Yubico cloud service or with a private server – open source code)
  • Fixed password authentication (max 38 chars) – as the Yubikey identifies itself as a keyboard, this is ideal for BIOS or hardware encryption passwords
  • OpenPGP (GnuPG, for us Linux people) support – can store three 4096 bit RSA keys as an emulated smartcard – typically the keys for signing, decryption and authentication (like SSH login)
  • FIDO U2F – the new 2nd factor authentication standard as supported by Google, Github and Dropbox among others. Only supported in the Chrome web browser for now. Local authentication seems possible as well.

I’ve just started trying it out (GnuPG was first out) – first impressions will follow!