Here I’d like to share instructions how to use YubiKey for storing SSH keys with Linux and Chromebook (via embedded Linux). Recently I got myself a small Chromebook to be able to do emergency support on the go. Hence I decided to expand on my earlier post how to use YubiKey for SSH under Windows with detailed instructions for Linux and Chrome OS.
I will first describe specific steps needed for SSH with YubiKey to work on Linux in general and then will share specific instructions for Chrome OS.
Table of Contents
Required Software
I tested these instructions on Ubuntu 18.04, Ubuntu 20.04, Debian 10 and Debian 11.
I was using base versions of these OS’s, so it had gpg packages pre-installed. On top of that we need scdaemon, which could be installed as easily as:
sudo apt update
sudo apt install scdaemonUse then
gpg --card-statuscommand to verify that the card is visible.
Finally, if you are looking to set up SSH key on YubiKey using Linux, you would need Kleopatra which can be obtained from here: https://apps.kde.org/kleopatra/
Preparing YubiKey
Preparing YubiKey under Linux is essentially no different than doing it under Windows, so just follow steps 3 and 4 of my post describing YubiKey for SSH under Windows.
Now, if you already have YubiKey prepared under another Windows or Linux system, all you need to do is export public key from Kleopatra on that machine. To perform an export, in Kleopatra double click certificate and click “Export…” on the bottom.
Next, transfer obtained public key to your new Linux machine. Let’s assume the key is copied in a file called public_key_file. Then you need to import it using the following command:
gpg --import < public_key_fileSetting Up SSH with YubiKey
Next we will need to create a file at ~/.gnupg/gpg-agent.conf with the content
enable-ssh-supportAfter that add following 2 lines to ~/.bashrc (or its alternative you may be using):
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agentAlso, the following command is useful here if you need to extract SSH public key from this setup to distribute to the target host:
ssh-add -LThese steps are actually enough to make YubiKey work in GUI mode. But we’ll need few more things to be able to unlock it in pure terminal mode with no GUI.
Terminal Mode
Specifically on Chrome OS – and in some other scenarios – having GUI is not an option. To make YubiKey unlock logic work in the terminal we need to add additional lines in ~/.bashrc :
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /byeAnd that is pretty much it.
Chrome OS Specifics
In this section I’ll list few extra steps how to make all this work on Chromebooks.
First, we need to enable embedded Linux environment on Chromebook. This can be done via Settings -> Advanced -> Developers -> Linux development environment. This would install Debian system, currently Debian 11 Bullseye.
Note, that while you can make it also work under Crouton, I didn’t see any benefit in using Crouton relative to embedded environment. So I do not recommend Crouton here.
Once embedded Linux is installed, Chrome OS will create a special folder called “Linux files” where we can copy our gpg public key (exported from Kleopatra). After that we should see the public key file from home folder in embedded Linux and import it from there as described above.
Next, to make YubiKey visible to Linux, we need to explicitly enable YubiKey device sharing every time we insert it. I know that is a nuisance – which hopefully would be improved in future versions of Chrome OS – but I can live with that for now. To enable YubiKey for Linux, go to Settings -> Advanced -> Developers -> Linux development environment -> Manage USB devices and toggle selector for YubiKey.
These are all steps specific to Chrome OS. The rest should be the same as for other Linux environments, with the caveat that we have to use Terminal (no-GUI) mode on Chromebooks.
References
Here are resources that helped me in preparing this post:
- https://www.reddit.com/r/yubikey/comments/k1fqk8/migrating_ssh_configurations_to_linux_better/gdphelt/
- https://opensource.com/article/19/4/gpg-subkeys-ssh
- https://developer.okta.com/blog/2021/07/07/developers-guide-to-gpg
As usual for any questions, you can find me on DevOps Community.
1 comment