Migrating GPG keys to Linux for SSH login auth
Introduction
I REALLY wish I had a kick ass graphic from the Back to the future movies for Back to Linux. I spent most of my highschool years running Linux, just because. Entering into the business world, I needed an application called Quickbooks. This was way before the advent of SAAS came along and Quickbooks was a desktop application, Windows Only. Later on I did manage to go back to Windows but being an aspiring photographer, I needed Windows again. I finally gave up and just went full on Windows.
Now I’m back and loving it. I ditched Windows a few weeks ago. Prior to ditching Windows, and creating this blog, I got some Yubikeys with the intent to authenticate Github and my Linux server stacks, via SSH. I’ll be frank here, I don’t understand all the details surrounding how this works.
Following This Article I was able to get this to work rather well. I could git commit -m "message"
and I’d be asked for my yubikey pin and to touch the key. Great! Now, moving to Linux (ubuntu 20.04 specifically), I needed to get this same process to work but I honestly had no idea how to move this over to Linux.
Reddit to the rescue
Most programmers use stack overflow. I prefer reddit as I’ve often found stack overflow to be have a holyier that though approach to just about any question I’ve ever asked. So I went to reddit and was quickly informed that indeed Yubikey doesn’t support ssh, but you can leverage GPG for ssh. This is apparently what I was doing with my above setup on Windows.
After some great info by some Reddit users. I had to do a little more digging.
You can see my entire Reddit Post here.
So what did I do?
This is at your own risk, I’m NOT an expert on this!
First things first, export your keys from Kleopatra on Windows. This is easy, Open up Kelopatra, highlight your keys (I have two for two different yubikeys, backups!) and right click, then click export. Save these somewhere useful where you can get to them on Linux. In my case I dual boot and can access my Windows drive from Linux, so I just dumped them on the desktop (like everything else)
Boot into Linux:
- As reddit suggests, we need to import the keys:
gpg --import < PATH-TO-KEYFILE
- Now we need to install some packages to get a card daemon.
sudo apt-get install pcscd scdaemon gnupg2 pcsc-tools -y
- Let’s check and see if we see our keys
gpg -k
You should see a few public keys and posisbly your email address you used when setting these up on Windows - Now let’s make sure the card is working.
gpg --card-status
You should see your card at this point, although, you mgiht need to reboot first - Let’s enable gpg-agents, this was as simple as
echo "use-agent" >> ~/.gnupg/gpg.conf echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
- Find your yubikey
pcsc_scan -n
you’re looking for the CCID 00 00 which may be different, but you’ll need it for the next command echo "reader-port \"Yubico Yubikey NEO CCID 00 00\"" > ~/.gnupg/scdaemon.conf
- Finally, reboot
When you get back up and running, you should be able to do ssh username@serveraddress and ssh will prompt you for a pin and to “touch” your yubikey.
This is a very edge case. I started this in Windows and needed to move my keys. I hope this might help somebody.
Awesome people who offered great assistance…
- jwaldrep on this Reddit post
- I also found this website hugly helpful! Yubikey-Link With GPG
Thank you both for your help!