将 Yubikey 作为你的 GPG 智能卡同时配置 SSH 免密登录

明明 GPG 和 SSH 都可以储存在本地为什么要使用 YubiKey 4 呢？

防止密钥被复制，储存在 YubiKey 4 上的密钥不能被复制出来
防止程序偷偷使用你的密钥， YubiKey 4 使用时需要轻触确认

准备

首先插入你的 Yubikey 在终端输入 gpg --edit-card

powershell

PS C:\Users\Cody> gpg --edit-card

Reader ...........: Yubico Yubikey 4 OTP U2F CCID 0
Application ID ...: D2760001240100000006113831790000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: 11383179
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>

我们首先需要修改卡的 PIN 和 PUK 先输入 admin 允许管理员操作

powershell

gpg/card> admin
Admin commands are allowed

再输入 1 修改卡的 PIN 输入 3 修改卡的 PUK

默认 PIN 为 123456 默认 PUK 为 12345678

生成 GPG Key

bash

gpg --expert --full-generate-key

密钥长度可以选择 4096 一路回车到 Is this correct? (y/N) 时，输入 y

再根据提示输入自己的信息

powershell

GnuPG needs to construct a user ID to identify your key.

Real name: CodyNotFound
Email address: yizhao666@qq.com
Comment:
You selected this USER-ID:
    "CodyNotFound <yizhao666@qq.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

O 确认再输入两次密码来加密你的 Key

powershell

public and secret key created and signed.

pub   rsa4096 2022-01-01 [SC]
      CC9A3F62740586D663F2B919DF5DD93A2D42DAE3
uid           [ultimate] CodyNotFound <yizhao666@qq.com>
sub   rsa4096 2022-01-01 [E]

备份 GPG Key

备份公钥

bash

gpg -o publickey -a --export CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份私钥

bash

gpg -o privatekey -a --export-secret-keys CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份子钥

bash

gpg -o privatesubkey -a --export-secret-keys CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

备份吊销证书

bash

gpg -o revocationcert -a --gen-revoke CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

将 GPG Key 导入到 YubiKey 中

此步骤不可逆！！！请备份你的 GPG Key

bash

gpg --expert --edit-key CC9A3F62740586D663F2B919DF5DD93A2D42DAE3

使用 key 0 选中第一个以此类推选中的 key 后会出现星号如不选择默认为主密钥

powershell

sec  rsa4096/DF5DD93A2D42DAE3
     created: 2022-01-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/2CFE502BC36C1B28
     created: 2022-01-01  expires: never       usage: E   
[ultimate] (1). CodyNotFound <yizhao666@qq.com>

输入 keytocard 即可导入卡

sec  rsa4096/DF5DD93A2D42DAE3
     created: 2022-01-01  expires: never       usage: SC  
     card-no: 0006 11383179
     trust: ultimate      validity: ultimate
ssb  rsa4096/2CFE502BC36C1B28
     created: 2022-01-01  expires: never       usage: E   
     card-no: 0006 11383179
[ultimate] (1). CodyNotFound <yizhao666@qq.com>

导入完成后会出现卡序号再需要认证时便会要求输入卡的 PIN

SSH 使用 GPG 免密登录

遗憾的是 gpg4win 对于 OpenSSH 并不是开箱即用的你需要通过其他应用的帮助

首先从 Github 中下载 wsl-ssh-pageant-amd64-gui.exe 放到任意位置路径不建议包含中文

编辑 C:\Users\Cody\AppData\Roaming\gnupg\gpg-agent.conf 加入 enable-putty-support

然后重启 gpg-agent.exe

bash

gpg-connect-agent killagent /bye
gpg-connect-agent /bye

再打开 wsl-ssh-pageant-amd64-gui.exe

bash

"D:\Program Files\ssh-agent\wsl-ssh-pageant-amd64-gui.exe" --winssh ssh-pageant

调整 OpenSSH 的认证管道

bash

$Env:SSH_AUTH_SOCK="\\.\pipe\ssh-pageant"

最后用 ssh-add -L 如果出现了公钥则成功

powershell

ssh-rsa *** cardno:11383179

将 SSH Key 放到 Github 上

ssh -T git@github.com

powershell

PS C:\Users\Cody> ssh -T git@github.com
Hi CodyNotFound! You've successfully authenticated, but GitHub does not provide shell access.

开机自启

本脚本来自人间实验室略有改动

powershell

[Environment]::SetEnvironmentVariable('SSH_AUTH_SOCK', '\\.\pipe\ssh-pageant', [EnvironmentVariableTarget]::User)

$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$principal = New-ScheduledTaskPrincipal -LogonType Interactive -UserId $user
$trigger = New-ScheduledTaskTrigger -AtLogOn -User $user
$setting_set = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

$gpg_agent = "gpgAgent"
$gpg_agent_action = New-ScheduledTaskAction -Execute "gpg-connect-agent.exe" -Argument "/bye"
$gpg_agent_td = New-ScheduledTask -Action $gpg_agent_action -Principal $principal -Trigger $trigger -Settings $setting_set
Register-ScheduledTask -TaskName $gpg_agent -InputObject $gpg_agent_td
Start-ScheduledTask -TaskName $gpg_agent

$wsl_ssh_pagent = "sshPageant"
$wsl_ssh_pagent_action = New-ScheduledTaskAction -Execute "D:\Program Files\ssh-agent\wsl-ssh-pageant-amd64-gui.exe" -Argument "--winssh ssh-pageant"
$wsl_ssh_pagent_td = New-ScheduledTask -Action $wsl_ssh_pagent_action -Principal $principal -Trigger $trigger -Settings $setting_set
Register-ScheduledTask -TaskName $wsl_ssh_pagent -InputObject $wsl_ssh_pagent_td
Start-ScheduledTask -TaskName $wsl_ssh_pagent

YubiKey4 GPG 以及 SSH 的配置

准备 ​

生成 GPG Key ​

备份 GPG Key ​

将 GPG Key 导入到 YubiKey 中 ​

SSH 使用 GPG 免密登录 ​

开机自启 ​

准备

生成 GPG Key

备份 GPG Key

将 GPG Key 导入到 YubiKey 中

SSH 使用 GPG 免密登录

开机自启