User Tools

Site Tools


yubikey

One-time Hardware Setup

  • Yubikey 4 needs to be enabled for OTP+CCID+U2F+PGP modes concurrently:
    sudo ykpersonalize -m86

    (Use -m85 to disable OTP mode for nanos)

  • Setup udev rules to allow non-root access to the yubikey with GPG (Taken from https://finninday.net/wiki/index.php/Yubikey#create_udev_rule_for_yubikey and modified slightly for yubikey v4:
    /etc/udev/rules.d/69-yubikey.rules
    ACTION!="add|change", GOTO="yubico_end"
     
    # Udev rules for letting the console user access the Yubikey USB
    # device node, needed for challenge/response to work correctly.
     
    # Yubico Yubikey 4 (0407=nano)
    ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", \
        ENV{ID_SECURITY_TOKEN}="1"
     
    LABEL="yubico_end"
     
    ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”
  • Install and run the pscs-lite package;
    equo install pcsc-lite
    systemctl enable --now pcscd.service

Generate PGP keys

Notes:

  • Default PIN: 123456 (minimum 6 digits)
  • Default admin PIN: 12345678 (minimum 8 digits)
  • If locked out, gpg –card-status PIN retry counter might look like 3 0 3. They can be reset using the instructions here https://developers.yubico.com/ykneo-openpgp/ResetApplet.html (wipes any PGP keys on the yubikey, but doesn't seem to harm U2F tokens).

Setup KDE Plasma

  • Disable any exisitng GPG or SSH agent startup scripts
  • Enable the GPG daemon with ssh support on startup:
    /etc/plasma/startup/agent-startup.sh
    if [ -x /usr/bin/gpg-agent ]; then
      eval "$(/usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info)"
    fi
  • Generate the SSH public key string to go in ~/.ssh/authorized_keys (or LDAP) using:
    gpgkey2ssh <authentication subkey id>
yubikey.txt · Last modified: 2017/10/16 19:26 by ben