Browse Source

Merge branch 'yubikey-notes' of kemonine/docs into master

pull/117/head
KemoNine 2 months ago
parent
commit
a2890824aa
1 changed files with 181 additions and 0 deletions
  1. 181
    0
      advanced/yubikey_notes.md

+ 181
- 0
advanced/yubikey_notes.md View File

@@ -0,0 +1,181 @@
1
+# Yubikey 4 Setup
2
+
3
+This guide assumes you have an existing GPG key generated and saved as an asc file. There are ways to have the Yubikey 4 generate the GPG private key but for our needs we generate the GPG keys ahead of Yubikey setup using tails and keep the secret key material on encrypted disks as much as possible.
4
+
5
+# Reset The Yubikey
6
+
7
+## Reset Main Slot Configuration
8
+
9
+Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and delete the configuration for ALL of the Yubikey's slots.
10
+
11
+``` bash 
12
+
13
+sudo apt install yubikey-personalization-gui
14
+
15
+```
16
+
17
+## Reset GPG Configuration
18
+
19
+``` bash
20
+
21
+gpg-connect-agent
22
+/hex
23
+scd serialno
24
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
25
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
26
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
27
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
28
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
29
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
30
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
31
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
32
+scd apdu 00 e6 00 00
33
+scd apdu 00 44 00 00
34
+/echo Card has been successfully reset.
35
+/bye
36
+
37
+# Unplug / plug back in to ensure fully reset
38
+gpg --card-status # Should show blank card
39
+
40
+```
41
+
42
+# Basic Slot Setup
43
+
44
+Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and setup the Yubikey OTP 2FA in Slot 1. Leave Slot 2 non-configured. You may need/want to set this up later but it's outside the scope of this document.
45
+
46
+``` bash
47
+
48
+sudo apt install yubikey-personalization-gui
49
+
50
+```
51
+
52
+# GPG Setup
53
+
54
+Make sure you have ```gpg2``` and ```scdaemon``` installed before doing anything further.
55
+
56
+## Setup Yubikey For GPG
57
+
58
+- [https://developers.yubico.com/PGP/Card_edit.html](https://developers.yubico.com/PGP/Card_edit.html)
59
+
60
+``` bash
61
+
62
+gpg --card-status # Shouldn't show anything useful
63
+gpg --card-edit
64
+admin
65
+passwd
66
+    1
67
+        123456
68
+    3
69
+        12345678
70
+    q
71
+name
72
+lang
73
+    en
74
+url
75
+    https://lollipopcloud.solutions/gpg/lc_keys/kemonine.pub
76
+login
77
+    kemonine
78
+quit
79
+gpg --card-status
80
+
81
+```
82
+
83
+
84
+## Import GPG Keys
85
+
86
+Remember: we pre-generate GPG keys for people. They need to be imported before setting up the Yubikey.
87
+
88
+- [https://developers.yubico.com/PGP/Importing_keys.html](https://developers.yubico.com/PGP/Importing_keys.html)
89
+
90
+``` bash
91
+
92
+gpg --import kemonine.asc 
93
+gpg --list-keys --keyid-format LONG
94
+gpg --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
95
+trust
96
+    5
97
+    y
98
+    save
99
+gpg --card-status
100
+gpg --expert --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
101
+toggle
102
+keytocard
103
+    y
104
+    1
105
+keytocard
106
+    y
107
+    3
108
+key 1
109
+keytocard
110
+    2
111
+key 1
112
+key 2
113
+keytocard
114
+quit
115
+    y
116
+gpg --card-status
117
+gpg --list-secret-keys
118
+# Unplug Yubikey
119
+gpg --list-secret-keys
120
+
121
+```
122
+
123
+# Setup Git GPG Signing
124
+
125
+- [https://kemonine.info/post/2017/12/signed-git-commits/](https://kemonine.info/post/2017/12/signed-git-commits/)
126
+
127
+``` bash
128
+
129
+gpg --list-secret-keys --keyid-format LONG
130
+# Look for something like: rsa4096/9D79FBF661EC6779 the part after the / is the key id to use with git
131
+# cd to git project
132
+git config commit.gpgsign true
133
+git config user.signingkey [Your Key ID]
134
+# Add key to gitea / gitlab -- the contents of kemonine.pub are what you put into the gitea instance
135
+
136
+````
137
+
138
+# SSH Auth with GPG Key
139
+
140
+- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
141
+- [https://kemonine.info/post/2017/12/gpg---ssh-auth/](https://kemonine.info/post/2017/12/gpg---ssh-auth/)
142
+- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
143
+- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
144
+- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
145
+- [https://mlohr.com/gpg-agent-ssh-gnome/](https://mlohr.com/gpg-agent-ssh-gnome/)
146
+
147
+``` bash
148
+
149
+apt install pinentry-curses
150
+
151
+```
152
+
153
+``` bash
154
+
155
+ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg-agent.conf 
156
+enable-ssh-support
157
+pinentry-program /usr/bin/pinentry-curses
158
+default-cache-ttl 60
159
+max-cache-ttl 120
160
+
161
+```
162
+
163
+``` bash
164
+
165
+ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg.conf 
166
+personal-digest-preferences SHA256
167
+cert-digest-algo SHA512
168
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
169
+
170
+```
171
+
172
+``` bash
173
+
174
+ubuntu@ubuntu ~ $ cat .bashrc # append this to the bottom
175
+export GPG_TTY="$(tty)"
176
+export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
177
+gpg-connect-agent updatestartuptty /bye
178
+
179
+```
180
+
181
+

Loading…
Cancel
Save