User Tools

Site Tools


One-time Hardware Setup

  • Yubikey 4 needs to be enabled for OTP+CCID+U2F+PGP modes concurrently:
    sudo ykpersonalize -m86

    (Use -m85 to disable OTP mode for nanos)

  • Setup udev rules to allow non-root access to the yubikey with GPG (Taken from and modified slightly for yubikey v4:
    ACTION!="add|change", GOTO="yubico_end"
    # Udev rules for letting the console user access the Yubikey USB
    # device node, needed for challenge/response to work correctly.
    # Yubico Yubikey 4 (0407=nano)
    ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", \
    ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”
  • Install and run the pscs-lite package;
    equo install pcsc-lite
    systemctl enable --now pcscd.service

Generate PGP keys


  • Default PIN: 123456 (minimum 6 digits)
  • Default admin PIN: 12345678 (minimum 8 digits)
  • If locked out, gpg –card-status PIN retry counter might look like 3 0 3. They can be reset using the instructions here (wipes any PGP keys on the yubikey, but doesn't seem to harm U2F tokens).

Setup KDE Plasma

  • Disable any exisitng GPG or SSH agent startup scripts
  • Enable the GPG daemon with ssh support on startup:
    if [ -x /usr/bin/gpg-agent ]; then
      eval "$(/usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info)"
  • Generate the SSH public key string to go in ~/.ssh/authorized_keys (or LDAP) using:
    gpgkey2ssh <authentication subkey id>
yubikey.txt · Last modified: 2017/10/16 19:26 by ben