====== One-time Hardware Setup ======
* Yubikey 4 needs to be enabled for OTP+CCID+U2F+PGP modes concurrently:
sudo ykpersonalize -m86
(Use ''-m85'' to disable OTP mode for nanos)
* Setup udev rules to allow non-root access to the yubikey with GPG (Taken from [[https://finninday.net/wiki/index.php/Yubikey#create_udev_rule_for_yubikey]] and modified slightly for yubikey v4:
ACTION!="add|change", GOTO="yubico_end"
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
# Yubico Yubikey 4 (0407=nano)
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", \
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”
* Install and run the ''pscs-lite'' package;
equo install pcsc-lite
systemctl enable --now pcscd.service
====== Generate PGP keys ======
* Follow instructions [[https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/]] to do the following:
* Generate an offline Master key
* Generate an offline Encryption key, and import it into the yubikey
* Generate Authentication and Signing keys directly on the yubikey
Notes:
* Default PIN: 123456 (minimum 6 digits)
* Default admin PIN: 12345678 (minimum 8 digits)
* If locked out, ''gpg --card-status'' '' PIN retry counter'' might look like ''3 0 3''. They can be reset using the instructions here [[https://developers.yubico.com/ykneo-openpgp/ResetApplet.html]] (wipes any PGP keys on the yubikey, but doesn't seem to harm U2F tokens).
====== Setup KDE Plasma ======
* Disable any exisitng GPG or SSH agent startup scripts
* Enable the GPG daemon with ssh support on startup:
if [ -x /usr/bin/gpg-agent ]; then
eval "$(/usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info)"
fi
* Generate the SSH public key string to go in ''~/.ssh/authorized_keys'' (or LDAP) using:
gpgkey2ssh