• Yubikey 4 needs to be enabled for OTP+CCID+U2F+PGP modes concurrently:

  sudo ykpersonalize -m86

  (Use -m85 to disable OTP mode for nanos)

• Setup udev rules to allow non-root access to the yubikey with GPG (Taken from https://finninday.net/wiki/index.php/Yubikey#create_udev_rule_for_yubikey and modified slightly for yubikey v4:

  /etc/udev/rules.d/69-yubikey.rules

  ACTION!="add|change", GOTO="yubico_end"
   
  # Udev rules for letting the console user access the Yubikey USB
  # device node, needed for challenge/response to work correctly.
   
  # Yubico Yubikey 4 (0407=nano)
  ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", \
      ENV{ID_SECURITY_TOKEN}="1"
   
  LABEL="yubico_end"
   
  ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”

• Install and run the pscs-lite package;

  equo install pcsc-lite
  systemctl enable --now pcscd.service

• Follow instructions https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ to do the following:
  • Generate an offline Master key
  • Generate an offline Encryption key, and import it into the yubikey
  • Generate Authentication and Signing keys directly on the yubikey

Notes:

• Default PIN: 123456 (minimum 6 digits)
• Default admin PIN: 12345678 (minimum 8 digits)
• If locked out, gpg –card-status PIN retry counter might look like 3 0 3. They can be reset using the instructions here https://developers.yubico.com/ykneo-openpgp/ResetApplet.html (wipes any PGP keys on the yubikey, but doesn't seem to harm U2F tokens).

• Disable any exisitng GPG or SSH agent startup scripts
• Enable the GPG daemon with ssh support on startup:

  /etc/plasma/startup/agent-startup.sh

  if [ -x /usr/bin/gpg-agent ]; then
    eval "$(/usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info)"
  fi

• Generate the SSH public key string to go in ~/.ssh/authorized_keys (or LDAP) using:

  gpgkey2ssh <authentication subkey id>