YubiKey for SSH on Linux and Chromebook

Here I’d like to share instructions how to use YubiKey for storing SSH keys with Linux and Chromebook (via embedded Linux). Recently I got myself a small Chromebook to be able to do emergency support on the go. Hence I decided to expand on my earlier post how to use YubiKey for SSH under Windows with detailed instructions for Linux and Chrome OS.

I will first describe specific steps needed for SSH with YubiKey to work on Linux in general and then will share specific instructions for Chrome OS.

Required Software

I tested these instructions on Ubuntu 18.04, Ubuntu 20.04, Debian 10 and Debian 11.

I was using base versions of these OS’s, so it had gpg packages pre-installed. On top of that we need scdaemon, which could be installed as easily as:

sudo apt update
sudo apt install scdaemon

Use then

gpg --card-status

command to verify that the card is visible.

Finally, if you are looking to set up SSH key on YubiKey using Linux, you would need Kleopatra which can be obtained from here: https://apps.kde.org/kleopatra/

Preparing YubiKey

Preparing YubiKey under Linux is essentially no different than doing it under Windows, so just follow steps 3 and 4 of my post describing YubiKey for SSH under Windows.

Now, if you already have YubiKey prepared under another Windows or Linux system, all you need to do is export public key from Kleopatra on that machine. To perform an export, in Kleopatra double click certificate and click β€œExport…” on the bottom.

Next, transfer obtained public key to your new Linux machine. Let’s assume the key is copied in a file called public_key_file. Then you need to import it using the following command:

gpg --import < public_key_file

Setting Up SSH with YubiKey

Next we will need to create a file at ~/.gnupg/gpg-agent.conf with the content

enable-ssh-support

After that add following 2 lines to ~/.bashrc (or its alternative you may be using):

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

Also, the following command is useful here if you need to extract SSH public key from this setup to distribute to the target host:

ssh-add -L

These steps are actually enough to make YubiKey work in GUI mode. But we’ll need few more things to be able to unlock it in pure terminal mode with no GUI.

Terminal Mode

Specifically on Chrome OS – and in some other scenarios – having GUI is not an option. To make YubiKey unlock logic work in the terminal we need to add additional lines in ~/.bashrc :

export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye

And that is pretty much it.

Chrome OS Specifics

In this section I’ll list few extra steps how to make all this work on Chromebooks.

First, we need to enable embedded Linux environment on Chromebook. This can be done via Settings -> Advanced -> Developers -> Linux development environment. This would install Debian system, currently Debian 11 Bullseye.

Note, that while you can make it also work under Crouton, I didn’t see any benefit in using Crouton relative to embedded environment. So I do not recommend Crouton here.

Once embedded Linux is installed, Chrome OS will create a special folder called “Linux files” where we can copy our gpg public key (exported from Kleopatra). After that we should see the public key file from home folder in embedded Linux and import it from there as described above.

Next, to make YubiKey visible to Linux, we need to explicitly enable YubiKey device sharing every time we insert it. I know that is a nuisance – which hopefully would be improved in future versions of Chrome OS – but I can live with that for now. To enable YubiKey for Linux, go to Settings -> Advanced -> Developers -> Linux development environment -> Manage USB devices and toggle selector for YubiKey.

These are all steps specific to Chrome OS. The rest should be the same as for other Linux environments, with the caveat that we have to use Terminal (no-GUI) mode on Chromebooks.

References

Here are resources that helped me in preparing this post:

As usual for any questions, you can find me on DevOps Community.

1 comment

Leave a comment

Your email address will not be published.