Adding existing GnuPG keys+Yubikey to new Mac client

I originally generated my GnuPG keys on a secure windows client for SSH authentication and moved the private keys to my Yubikey. Recently I wanted to use another client to SSH to the SSH host and so I wanted to configure it using the same keys. Turns out it was super simple for a couple of reasons: I already have my GnuPG keys generated and stored on my Yubikey, and MacOS is was way easier to get working.

IMPORTANT NOTE: This is not a step-by-step tutorial, it is a configuration guide and it assumes you have IT skills and know what you are doing. Also assumes bash is default shell.

Configuration Files edited

MacOS Client

  • ~/.gnupg/gpg-agent.conf
  • ~/.bash_profile

Linux/OpenSSH Host

Configuration on the MacOS Client

First, make sure GnuPG is installed. I used the GPG Tools package which comes with a nice graphical key management interface. Once it is installed load up your public key however you like. Once it is loaded up, change the trust to ultimate.

Now for the fun, your public key is loaded but you need to tell gpg you have the private key. Its so simple. Plug in the Yubikey and enter the following command:

gpg --card-status

This command should display the keys on your smartcard. What it will also do is recognize that the keys installed on the card are a match to the public key you have already in your keychain. When you now look at the details of your key in the keychain you will have the corresponding private key too.

Notice that unlike windows, I did not have to configure a reader-port or anything in the config for GPG to use the Yubikey. It just kind of worked.

Now that you have your gpg keychain all loaded up with your public/private key, lets configure MacOS to use the GnuPG Authentication keys when using SSH.

The GPG agent needs to be configured to enable ssh support. The contents of my working gpg-agent.conf file looks like this:

 default-cache-ttl 600
 max-cache-ttl 7200
 enable-ssh-support 

Next, configure your .bashrc or .bash_profile (or whatever shell startup profile script that gets loaded) to contain the following lines. This will ensure the GPG Agent gets loaded (and configure an important SSH environment variable directing it to use the GPG Agent) whenever you open the terminal window. This code I found, and slightly modified (added the KILLAGENT line) from this website (Thanks GitHub, this paged helped a lot when getting this to work)

 # Launch gpg-agent
 gpg-connect-agent KILLAGENT /bye
 gpg-connect-agent /bye 

 # When using SSH support, use the current TTY for passphrase prompts
 gpg-connect-agent updatestartuptty /bye > /dev/null
 
 # Point the SSH_AUTH_SOCK to the one handled by gpg-agent
 if [ -S $(gpgconf --list-dirs agent-ssh-socket) ]; then
   export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
 else
   echo "$(gpgconf --list-dirs agent-ssh-socket) doesn't exist. Is gpg-agent running ?"
 fi 

Close and open your terminal window to ensure gpg-agent is launched properly.

Only one last thing to do – add your SSH key to the allow list of keys allowed to authenticate with SSH. On Windows I did this by using adding the Keygrip associated with my authentication subkey to the sshcontrol file. On Mac, I used the ssh-add command:

ssh-add
ssh-add -l

The second command should list the keys added.

Thats it, I can now SSH using my keys. When I issue the ssh command, with the YubiKey plugged in, I get prompted for my PIN and off I go.