5
I would like to use my Yubikey's OpenPGP interface to authenticate myself against my OpenSSH server on my Windows 10 computer as showcased here.
I had created the keys according to the documentation.
gpg --card-status
would return the following:
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 0
Application ID ...: BEEFBEEFBEEFBEEFBEEFBEEF99990000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 99999999
Name of cardholder: John Doe
Language prefs ...: en
Sex ..............: male
URL of public key : https://example.com/pgp.asc
Login data .......: johndoe
Signature PIN ....: required
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 39
Signature key ....: BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF 0001
created ....: 2017-11-20 00:00:01
Encryption key....: BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF 0002
created ....: 2017-11-20 00:00:02
Authentication key: BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF BEEF 0003
created ....: 2017-11-20 00:00:03
General key info..: pub rsa4096/BEEFBEEFBEEF0001 2017-11-20 John Doe <john@example.com>
sec> rsa4096/BEEFBEEFBEEF0001 created: 2017-11-20 expires: never
Cardnumber:BEEF BEEF9999
ssb> rsa4096/BEEFBEEFBEEF0002 created: 2017-11-20 expires: never
Cardnumber:BEEF BEEF9999
ssb> rsa4096/BEEFBEEFBEEF0003 created: 2017-11-20 expires: never
Cardnumber:BEEF BEEF9999
Now the blackhole rises. As mentioned in the showcase documentation, PuTTY should work right out of the box. Year right I thought but I gave it a try. Off course it will not work since the OpenSSH server does not know the public part of the authentication key. What a surprise.
However I extracted the required OpenSSH compatible fingerprint to put in .ssh/authorized_keys
:
gpg --export-ssh-key BEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEF0003
The result was an OpenSSH compatible fingerprint with the following comment:
ssh-rsa [...omitted...] openpgp:0xBEEF0003
I reinserted the Yubikey, restart the gpg-agent and retry to login into my OpenSSH server. It also didn't work out.
So I googled again and found another tutorial to use Yubikey as SSH authentication.
I setup the way McQueen Labs recommend it but this also did not work out for me.
There where not any prompt for the card pin or error messages besides No supported authentication methods available (server sent: publickey)
.
This makes me think that either this kind of SSH authentication is not done by publickey method (which I find less likely) or there is configuration missing.
Which brings me to my question: How to setup PuTTY to use Yubikey OpenPGP authentication? And what do configure on the server side.
Edit: The Yubikey OpenPGP interface works well with Git commits, etc.. But I am not able to use it for SSH authentication.
1I just realized I had Keepass with the KeeAgent plugin competing with gpg-agent for putty credential requests. I grew suspicious when the KeePass password window popped up after opening putty... . So double check and make sure you don't have any other pageant running in the background. Working fine for me after disabling the KeeAgent plugin. – baloan – 2018-04-04T16:13:54.233
No Keepass running on the machine. But thanks for the hint. And with Pageant, I have tested both states. – burnersk – 2018-04-05T04:55:45.530
I noted a difference in behaviour after adding the
C:\Program Files (x86)\GnuPG\bin
andC:\Program Files\PuTTY
directories to the PATH. – baloan – 2018-04-06T11:27:08.597