I originally generated my GnuPG keys on a secure windows client for SSH authentication and moved the private keys to my Yubikey. Recently I wanted to use another client to SSH to the SSH host and so I wanted to configure it using the same keys. Turns out it was super simple for a couple of reasons: I already have my GnuPG keys generated and stored on my Yubikey, and MacOS is was way easier to get working.
IMPORTANT NOTE: This is not a step-by-step tutorial, it is a configuration guide and it assumes you have IT skills and know what you are doing. Also assumes bash is default shell.
Configuration Files edited
MacOS Client
- ~/.gnupg/gpg-agent.conf
- ~/.bash_profile
Linux/OpenSSH Host
- None. This document assumes that OpenSSH is configured and working properly to authenticate with keys as per my other configuration document.
Configuration on the MacOS Client
First, make sure GnuPG is installed. I used the GPG Tools package which comes with a nice graphical key management interface. Once it is installed load up your public key however you like. Once it is loaded up, change the trust to ultimate.
Now for the fun, your public key is loaded but you need to tell gpg you have the private key. Its so simple. Plug in the Yubikey and enter the following command:
gpg --card-status
This command should display the keys on your smartcard. What it will also do is recognize that the keys installed on the card are a match to the public key you have already in your keychain. When you now look at the details of your key in the keychain you will have the corresponding private key too.
Notice that unlike windows, I did not have to configure a reader-port or anything in the config for GPG to use the Yubikey. It just kind of worked.
Now that you have your gpg keychain all loaded up with your public/private key, lets configure MacOS to use the GnuPG Authentication keys when using SSH.
The GPG agent needs to be configured to enable ssh support. The contents of my working gpg-agent.conf file looks like this:
default-cache-ttl 600 max-cache-ttl 7200 enable-ssh-support
Next, configure your .bashrc or .bash_profile (or whatever shell startup profile script that gets loaded) to contain the following lines. This will ensure the GPG Agent gets loaded (and configure an important SSH environment variable directing it to use the GPG Agent) whenever you open the terminal window. This code I found, and slightly modified (added the KILLAGENT line) from this website (Thanks GitHub, this paged helped a lot when getting this to work)
# Launch gpg-agent gpg-connect-agent KILLAGENT /bye gpg-connect-agent /bye # When using SSH support, use the current TTY for passphrase prompts gpg-connect-agent updatestartuptty /bye > /dev/null # Point the SSH_AUTH_SOCK to the one handled by gpg-agent if [ -S $(gpgconf --list-dirs agent-ssh-socket) ]; then export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) else echo "$(gpgconf --list-dirs agent-ssh-socket) doesn't exist. Is gpg-agent running ?" fi
Close and open your terminal window to ensure gpg-agent is launched properly.
Only one last thing to do – add your SSH key to the allow list of keys allowed to authenticate with SSH. On Windows I did this by using adding the Keygrip associated with my authentication subkey to the sshcontrol file. On Mac, I used the ssh-add command:
ssh-add ssh-add -l
The second command should list the keys added.
Thats it, I can now SSH using my keys. When I issue the ssh command, with the YubiKey plugged in, I get prompted for my PIN and off I go.