Introduction

If you’re as excited as me about signing into your Linux server from your Windows machine and completely ditching passwords and private keys stored on your computer in the process then this is the one and true guide for you!I’ve been wanting to do this ever since I’ve bought my first two Yubikey NEO keys 4 years ago, but the tutorials on the ‘net just weren’t working out for me.
PGP seemed scary, over complicated and archaic and I was merrily flaunting my newfound 2FA powers anyway and couldn’t be bothered with any of the crypto crud.
Four years have passed and yesterday finally the time has come and I’ve decided to take the plunge and figure all this crypto nonsense out for good.I will spare you the detailed explanations one might expect when reading crypto articles because frankly it’s an unpleasant experience. The tooling is subpar, the terminology is all over the place and I just wanted to get it done without screwing around.So here it is, and by the end of it you should be connecting to your fancy Linux servers from Windows via SSH using PGP keys and Kleopatra like there’s no motherfucking tomorrow.

Master key

  1. Disable any custom firewalls like TinyWall and the like along with any custom anti-virus to prevent weird errors.
    Windows Defender and Windows Firewall in their default configurations are fine.
  2. Install Gpg4win from https://www.gpg4win.org/
    1. I only install GnuPG and Kleopatra (skip GPA, GpgOL, GpgEX and browser integration)
    2. I install it to a path with no spaces in it, e.g. D:\Programs\Gpg4win
    3. My version is 3.1.13 (2020-09-04)
  3. If you had an earlier version of Gpg4win, my tutorial might not work for you so uninstall it and make sure you have at least 3.1.13
  4. Create a file called gpg-agent.conf under c:\Users\<YOUR_USER>\AppData\Roaming\gnupg\
  5. Put this in it & save:
    enable-putty-support
    enable-ssh-support
  6. Insert your Yubikey into a USB slot
  7. Run Kleopatra
  8. Tools -> Manage Smartcards
  9. Hit F5 to refresh
  10. You should be seeing something like this:
  11. File -> New Key Pair…
  12. Create a personal OpenPGP key pair
  13. Click on Advanced Settings…
  14. Key Material: select RSA and uncheck +RSA
  15. Bits:
    1. YubiKey NEO: 2048 bits
    2. Any other YubiKey 4 and up: 4096 bits
  16. Certificate Usage: uncheck everything (Certification will remain checked, that’s okay)
    1. If you want your master key to expire, you can check “Valid until” and give it a date. You can also set this later.
  17. This is how it should look:
  18. OK
  19. You have to enter either your name, email or both. I keep my info private so I just enter Dave as my name and leave email empty. You can change them later.
    If you want to use your keys for signing stuff like git commits then you should probably fill both name and email in.
  20. This is how it looks for me:
  21. Create
  22. Enter a strong passphrase for the key
  23. Click on “Make a Backup Of Your Key Pair…” and save it somewhere safe
  24. Make sure the extension of the saved file is asc after it’s been saved, open the file in notepad and check if it’s text and starts with —–BEGIN PGP PRIVATE KEY BLOCK—–
  25. Now click “Make a Backup Of Your Key Pair…” again, but this time explicitly give it the extension pgp
  26. Save the file, open it in notepad and check that it’s binary, i.e. not human-readable
  27. You should now have two backup files of your private key (master key) in the same directory.
  28. Do _NOT_ upload your public key to a directory service (keyserver) just yet!
  29. Click Finish
  30. Your key should now be listed in Kleopatra:
  31. Click on your certificate to select it
  32. View -> Details
  33. Click on “Generate revocation certificate” and save the file. It should automatically get the extension rev and the file type should be text.
  34. Close
  35. Quit Kleopatra
  36. Find Kleopatra’s icon in the system tray -> right click -> Shutdown Kleopatra
  37. But this won’t kill the underlying gpg-agent process, so launch a command prompt in your GnuPG\bin folder. For me it’s d:\programs\gnupg\bin (no spaces) but you’ve probably installed it elsewhere. The default is C:\Program Files (x86)\gnupg\bin I believe.
  38. gpg-connect-agent KILLAGENT /bye
  39. (You can double check in the Windows task manager if indeed no gpg-agent.exe is running anymore)

Isn’t open source fun! No? How dare you.

Brief explainer

A PGP key has 4 possible uses:

  • Certification
  • Signing
  • Encryption
  • Authentication

We’ve set your private key (a.k.a. master key) up to be usable for certification only, that is it’s the key that creates subkeys but does nothing else.
Signing and encryption are not necessary for logging in to Linux so I’m putting them into the optional Appendix should you still want to do the whole dance.
In my opinion it would needlessly over complicate things at this point.

So with that out of the way, let’s make you an Authentication key!

Subkeys

This is where it gets iiiiiinteresting! If you loathe over complicated procedures and arcane rituals as much as I do then you will absolutely hate all this nonsense – but it is necessary.
Want to log in to that juicy Linux server all by your smart carded self? Then don’t give up and read on!

Kleopatra doesn’t support the creation of subkeys because that would simply be too useful we all love command line tools.

  1. gpg -K

    1. mind the capital K
  2. You should see a single key with [C] next to it and its long id below:
  3. gpg --expert --edit-key <your_key_id>
    1. <your_key_id> is either the long id or the long id’s last 8 characters
  4. If you enter the wrong id gpg will complain so you can’t really mess this up.
  5. addkey
  6. 8 for RSA (set your own capabilities)
  7. a to turn the authenticate capability on
  8. s to turn the sign capbility off
  9. e to turn the encrypt capability off
  10. This should leave you with just the Authenticate capability:
  11. q
  12. Keysize: enter 2048 for Yubikey NEO or 4096 for any other Yubikey 4 and up
  13. Expiry: I enter 0 (zero) so the key never expires, feel free to enter something else
  14. y
  15. y again
  16. It should ask you for your passphrase and proceed to create the new authentication key
  17. After that you should be presented with this:
  18. One key with usage C (the master key) and another with usage A (the authentication key you’ve just created)
  19. key 1
  20. This should select the auth key and put an asterisk (*) next to ssb so it becomes ssb*
  21. keytocard
  22. 3
  23. Enter your passphrase
  24. Enter the admin PIN which is 12345678
  25. save
  26. This should exit the gpg tool
  27. gpg -K
    1. it’s a capital K
  28. Observe the greater-than sign right after ssb>
  29. This means that the auth key has been moved to your Yubikey from your computer
  30. gpg --edit-card
  31. admin
  32. passwd
  33. 1
  34. First, enter the existing PIN which is 123456 then enter in a custom PIN which is at least 6 characters long
  35. 3
  36. First, enter the existing admin PIN which is 12345678 then enter in a custom admin PIN which is at least 8 characters long
  37. q
  38. quit
  39. gpg-connect-agent KILLAGENT /bye
  40. Launch Kleopatra
  41. Select your certificate
  42. Click on File -> Export…
  43. Save it to a directory as-is
  44. Click on File -> Export… again
  45. Save it with the pgp extension to the same directory
  46. There should be two files in that directory now: one with the extension asc, another with pgp. Asc is text, pgp is binary.
  47. These two files both contain your public key
  48. BACKUP your private key: File -> Export Secret Keys…, save one in the default extension (asc) and one in pgp
  49. Now it’s time to DELETE all the keys from your computer!
    Since you’ve made a backup of your private and public key you need not worry.
  50. Select your certificate in Kleopatra
  51. Certificates -> Delete
  52. Confirm all the many deletion prompts
  53. Quit Kleopatra
  54. Find Kleopatra’s icon in the system tray -> right click -> Shutdown Kleopatra
  55. gpg-connect-agent KILLAGENT /bye

Public key

  1. Now, upload your public key to a server on the internet.
    Do _NOT_ upload your public key to a directory service (keyserver) just yet!
    You need to upload the .asc file (the one that is text)
  2. gpg --edit-card
  3. admin
  4. url
  5. Enter your public key’s URL
  6. Enter the admin PIN (the default was 12345678 but you’ve changed it!)
  7. fetch
  8. quit
  9. Now to make your Linux server aware of your new keys!
  10. gpg --export-ssh-key <your_key_id>
  11. This will print out the public key in SSH format
  12. Log in to your Linux server
  13. Insert the above SSH public key into your ~/.ssh/authorized_keys file and save it
  14. Now’s the time to test it all out!
  15. Close Pageant if it’s running
  16. gpg-connect-agent KILLAGENT /bye
  17. Run Kleopatra
  18. Try & log in via PuTTY and it should just work

WOOHOO IT WORKED, FANTASTIC AMIRITE!!!
Great! Now that your main key is out of the way, let’s propagate this goodness unto all your additional Yubikeys.
It’s important to have at least one backup key, though I wouldn’t blame you if you just wanted to murder anyone who ever mentions PGP again at this point.

Additional Yubikeys

  1. In Kleopatra: File -> Import…
  2. Find the backup you’ve made of your private key and import it
  3. Say Yes when asked if it’s your key
  4. Ok
  5. Double-click the certificate -> More details… -> there should be two entries: one with usage Certify, another with usage Authenticate
  6. Close all the windows and Kleopatra itself
  7. Find Kleopatra’s icon in the system tray -> right click -> Shutdown Kleopatra
  8. gpg-connect-agent KILLAGENT /bye

Repeat for each additional Yubikey:

  1. Plug in the next Yubikey you wish to use to authenticate to Linux
  2. gpg --expert --edit-key <your_key_id>
  3. addkey
  4. 8 for RSA (set your own capabilities)
  5. a to turn the authenticate capability on
  6. s to turn the sign capbility off
  7. e to turn the encrypt capability off
  8. q
  9. Keysize: enter 2048 for Yubikey NEO or 4096 for any other Yubikey 4 and up
  10. Expiry: I enter 0 (zero) so the key never expires, feel free to enter something else
  11. y
  12. y again
  13. It should ask you for your passphrase and proceed to create the new authentication key
  14. Now there should be as many keys with usage: A as the number of Yubikeys you’ve added so far.
  15. The keys are zero-based, so the first key is 0, the next is 1, the third is 2, etc.
  16. key <last_key>
    1. e.g. key 2 if this is for your second Yubikey
  17. This should select the last auth key and put an asterisk (*) next to ssb so it becomes ssb*
  18. keytocard
  19. 3
  20. Enter your passphrase
  21. The admin PIN is still 12345678 since this is a new Yubikey
  22. save
  23. This should exit the gpg tool
  24. gpg -K
    1. it’s a capital K
  25. Observe the greater-than sign after all the ssb>
  26. This means that the auth keys have all been moved to your Yubikey from your computer
  27. gpg --edit-card
  28. admin
  29. passwd
  30. 1
  31. First, enter the existing PIN which is 123456 then enter in a custom PIN which is at least 6 characters long
  32. 3
  33. First, enter the existing admin PIN which is 12345678 then enter in a custom admin PIN which is at least 8 characters long
  34. q
  35. quit

Once you’re done with all your Yubikeys, it’s time to re-export the public key so it’s amended with all the new authentication keys sitting on your army of Yubikeys.
You will have to do this every time you decide to add more keys to your keychain in the future!

  1. gpg-connect-agent KILLAGENT /bye
  2. Launch Kleopatra
  3. Select your certificate
  4. Click on File -> Export…
  5. Save it to a directory as-is
  6. Click on File -> Export… again
  7. Save it with the pgp extension to the same directory
  8. There should be two files in that directory now: one with the extension asc, another with pgp. Asc is text, pgp is binary.
  9. These two files both contain your public key
  10. gpg --export-ssh-key <your_key_id>
  11. This will print out the public key in SSH format
  12. Log in to your Linux server
  13. APPEND your new public key to your authorized_keys file and save it (all the keys should be on their own line as usual)
  14. BACKUP your private key: File -> Export Secret Keys…, save one in the default extension (asc) and one in pgp
  15. Now it’s time to DELETE all the keys from your computer! Since you’ve made a backup of your private and public key you need not worry.
  16. Select your certificate
  17. Certificates -> Delete
  18. Confirm all the many deletion prompts
  19. Quit Kleopatra
  20. Find Kleopatra’s icon in the system tray -> right click -> Shutdown Kleopatra
  21. gpg-connect-agent KILLAGENT /bye
  22. Now, re-upload your public key to a server on the internet.
    Do _NOT_ upload your public key to a directory service (keyserver) just yet!
    You’ll need to upload the .asc file (the one that is text)

Repeat for each of your newly added Yubikeys:

  1. Insert the Yubikey
  2. gpg --edit-card
  3. admin
  4. url
  5. Enter your public key’s URL
  6. Enter the admin PIN (the default was 12345678 but you’ve changed it!)
  7. fetch
  8. quit

Log in to your Linux server with your newly added Yubikey:

  1. Close Pageant if it’s running
  2. gpg-connect-agent KILLAGENT /bye
  3. Run Kleopatra
  4. Try & log in via PuTTY and it should just work

Lastly, switch your custom firewall and anti-virus software back on and check if everything still works.
Now merrily use your newfound PGP+GPG+SSH+Yubikey+Kleopatra powers to log in and out of any of your Linux servers as you please!

If after 3 days you still find everything in order, consider uploading your public key to a keyserver.
Don’t do so before the 3 days are up! It gets messy once you have to start revoking keys because you just wanted to test something.

The only thing required from now on other than a Yubikey is that Kleopatra is running. You can remove any keys you still have in Kleopatra, e.g. your public key since you don’t need anything for authentication – everything is on your Yubikeys or in backup files on your computer.

Note that your master key only exists in backup file form – which is okay. If you want to be extra paranoid, you can move it to a pen drive that you keep in a safe or what have you. Don’t copy it to a Yubikey though – if anything happens to it (gets lost, stolen, damaged) you’re screwed.

There are other tutorials on the ‘net that use gpg-agent or gpg-connect-agent instead of Kleopatra but I haven’t been able to get them to work. Kleopatra uses gpg-agent under the hood and seems to supply all the required configuration parameteres, settings and directories automagically. If it ain’t broke don’t fix it!

 

 

Hope this was helpful, enjoy all this nonsense and brag about it to your friends!
If I’ve done something stupid let me know in the comments.

References

https://suchsecurity.com/gpg-and-ssh-with-yubikey-on-windows.html
GPG and SSH with Yubikey on Windows

If you are interested in upcoming tutorials and articles, subscribe to the newsletter below:

Published

Comments

No Comments

Leave a Reply