|
Size: 4313
Comment: add command to manually disable GNOME Keyring GPG/SSH agents
|
Size: 4581
Comment: [udev] add comment about YubiKey type and merged .rules
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 15: | Line 15: |
| # YubiKey 4 OTP+U2F+CCID | |
| Line 20: | Line 21: |
| # YubiKey 4 OTP+U2F+CCID | |
| Line 21: | Line 23: |
| }}} By default, an even better configuration would be to merge the two lines: {{{ # YubiKey 4 OTP+U2F+CCID SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess" |
The YubiKey 4 is a multi-purpose USB key produced by Yubico.
It can be used for 2-factor authentication (OTP, U2F, OATH and static password) and as a CCID smartcard (both PIV and OpenPGP), visit the Yubico product page for a full list of features and a comparison with previous versions.
Contents
udev
Up to jessie, to use the card as a non-root users, you need to add a line to /etc/udev/rules.d/99-yubikeys.rules to the tell udev either
- to give permissions to the plugdev group
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"to let systemd-logind (thanks to Sam Morris via Iaian Learmoth) adding the ACLs for the console user
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess"By default, an even better configuration would be to merge the two lines:
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess"
Configuration
Yubico develops various software to access the key, among them:
YubiKey Personalization to configure all the 2-factor authentication protocols
- you need at least the version in stretch, i.e. 1.17.2-1
Yubico PIV (Privilege and Identification Verification) for PKCS #11
OTP
The key does not have a battery, so for TOTP you need an external tools:
yubikey-totp to generate a TOTP code from a secret stored on the key.
- you need at least the version in stretch, i.e. 1.3.1-1
Yubico Authenticator to generate OATH-HOTP and OATH-TOTP one-time password codes from secretes protected by the key
PIV
Check also Debian SSO (Single Sign-On) with a YubiKey.
OpenPGP
Links
Various interesting HowTo, especially useful if you are new to OpenPGP subkeys:
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
https://www.sidorenko.io/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/
Needed packages
To access the card you need GnuPG, the version in wheezy is fine for signing/encrypting.
However, if you want to use 4096-bits RSA keys, you need GnuPG 2.x, with the corresponding gpg-agent and scdaemon, at least the version in wheezy-backports, i.e. 2.0.25-1~bpo70+1.
GNOME Keyring
Please note that you need at least gnome-keyring 3.16.0-3 which disables the internal gpg-agent and relies on pinentry-gnome/gnupg-agent instead, see 773304.
For previous gnome-keyring versions, you should manually disables the internal gpg-agent and ssh-agent (if needed), see 623539:
$ mkdir -p ~/.config/autostart $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-gpg.desktop - \ >>~/.config/autostart/gnome-keyring-gpg.desktop $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-ssh.desktop - \ >>~/.config/autostart/gnome-keyring-ssh.desktop
OpenSSH authentication
This works out-of-the box on wheezy with GnuPG Agent and the corresponding scdaemon. You need to configure:
GnuPG to use the agent, in ~/.gnupg/gpg.conf
use-agent
GnuPG Agent to also act as an SSH agent, in ~/.gnupg/gpg-agent.conf:
enable-ssh-support
Once the agent started and the key plugged in, you can check if its authentication key has been added to the agent via the ssh-add -l command and then export the public key via the ssh-add -L command.
However, if you use GNOME Keyring, read this note.
License
This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.