CodyBlog

YubiKey4 GPG 以及 SSH 的配置

2022-04-04  971字  4 分钟 

Yubikey 作为你的 GPG 智能卡
同时配置 SSH 免密登录

明明 GPGSSH 都可以储存在本地
为什么要使用 YubiKey 4 呢?

  1. 防止密钥被复制,储存在 YubiKey 4 上的密钥不能被复制出来
  2. 防止程序偷偷使用你的密钥, YubiKey 4 使用时需要轻触确认

准备

首先插入你的 Yubikey
在终端输入 gpg --edit-card

PS C:\Users\Cody> gpg --edit-card

Reader ...........: Yubico Yubikey 4 OTP U2F CCID 0
Application ID ...: D2760001240100000006113831790000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: 11383179
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>

我们首先需要修改卡的 PINPUK
先输入 admin 允许管理员操作

gpg/card> admin
Admin commands are allowed

再输入 1 修改卡的 PIN
输入 3 修改卡的 PUK

默认 PIN123456
默认 PUK12345678

生成 GPG Key

gpg --expert --full-generate-key

密钥长度可以选择 4096
一路回车
Is this correct? (y/N) 时,输入 y

再根据提示输入自己的信息

GnuPG needs to construct a user ID to identify your key.

Real name: CodyNotFound
Email address: yizhao666@qq.com
Comment:
You selected this USER-ID:
    "CodyNotFound <yizhao666@qq.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

O 确认
再输入两次密码来加密你的 Key

public and secret key created and signed.

pub   rsa4096 2022-01-01 [SC]
      CC9A3F62740586D663F2B919DF5DD93A2D42DAE3
uid           [ultimate] CodyNotFound <yizhao666@qq.com>
sub   rsa4096 2022-01-01 [E]

备份 GPG Key

备份公钥

gpg -o publickey -a --export CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份私钥

gpg -o privatekey -a --export-secret-keys CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份子钥

gpg -o privatesubkey -a --export-secret-keys CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份吊销证书

gpg -o revocationcert -a --gen-revoke CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

将 GPG Key 导入到 YubiKey 中

此步骤不可逆!!!
请备份你的 GPG Key

gpg --expert --edit-key CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

使用 key 0 选中第一个
以此类推
选中的 key 后会出现星号
如不选择默认为主密钥

sec  rsa4096/DF5DD93A2D42DAE3
     created: 2022-01-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/2CFE502BC36C1B28
     created: 2022-01-01  expires: never       usage: E   
[ultimate] (1). CodyNotFound <yizhao666@qq.com>

输入 keytocard 即可导入卡

sec  rsa4096/DF5DD93A2D42DAE3
     created: 2022-01-01  expires: never       usage: SC  
     card-no: 0006 11383179
     trust: ultimate      validity: ultimate
ssb  rsa4096/2CFE502BC36C1B28
     created: 2022-01-01  expires: never       usage: E   
     card-no: 0006 11383179
[ultimate] (1). CodyNotFound <yizhao666@qq.com>

导入完成后会出现卡序号
再需要认证时便会要求输入卡的 PIN

SSH 使用 GPG 免密登录

遗憾的是
gpg4win 对于 OpenSSH 并不是开箱即用的
你需要通过其他应用的帮助

首先从 Github 中下载 wsl-ssh-pageant-amd64-gui.exe
放到任意位置
路径不建议包含中文

编辑 C:\Users\Cody\AppData\Roaming\gnupg\gpg-agent.conf
加入 enable-putty-support

然后重启 gpg-agent.exe

gpg-connect-agent killagent /bye
gpg-connect-agent /bye

再打开 wsl-ssh-pageant-amd64-gui.exe

"D:\Program Files\ssh-agent\wsl-ssh-pageant-amd64-gui.exe" --winssh ssh-pageant

调整 OpenSSH 的认证管道

$Env:SSH_AUTH_SOCK="\\.\pipe\ssh-pageant"

最后用 ssh-add -L
如果出现了公钥则成功

ssh-rsa *** cardno:11383179

SSH Key 放到 Github

ssh -T git@github.com
PS C:\Users\Cody> ssh -T git@github.com
Hi CodyNotFound! You've successfully authenticated, but GitHub does not provide shell access.

开机自启

本脚本来自 人间实验室
略有改动

[Environment]::SetEnvironmentVariable('SSH_AUTH_SOCK', '\\.\pipe\ssh-pageant', [EnvironmentVariableTarget]::User)

$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$principal = New-ScheduledTaskPrincipal -LogonType Interactive -UserId $user
$trigger = New-ScheduledTaskTrigger -AtLogOn -User $user
$setting_set = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

$gpg_agent = "gpgAgent"
$gpg_agent_action = New-ScheduledTaskAction -Execute "gpg-connect-agent.exe" -Argument "/bye"
$gpg_agent_td = New-ScheduledTask -Action $gpg_agent_action -Principal $principal -Trigger $trigger -Settings $setting_set
Register-ScheduledTask -TaskName $gpg_agent -InputObject $gpg_agent_td
Start-ScheduledTask -TaskName $gpg_agent

$wsl_ssh_pagent = "sshPageant"
$wsl_ssh_pagent_action = New-ScheduledTaskAction -Execute "D:\Program Files\ssh-agent\wsl-ssh-pageant-amd64-gui.exe" -Argument "--winssh ssh-pageant"
$wsl_ssh_pagent_td = New-ScheduledTask -Action $wsl_ssh_pagent_action -Principal $principal -Trigger $trigger -Settings $setting_set
Register-ScheduledTask -TaskName $wsl_ssh_pagent -InputObject $wsl_ssh_pagent_td
Start-ScheduledTask -TaskName $wsl_ssh_pagent
  • 本文作者: CodyNotFound
  • 本文链接: YubiKey4 GPG 以及 SSH 的配置
  • 版权声明: 本博客所有文章除特别声明外,均采用 CC BY-ND 4.0 许可协议。转载请注明出处。
  • 发布日期: 2022-04-04
  • 更新日期: 2022-07-14