Posts Tagged Yubikey

YubiKey GPG key for SSH authentication

In this post I’m going to go over the steps to configure your YubiKey for SSH authentication using a GPG key stored on the YubiKey itself.

This guide goes through the steps for setting this up on a Mac running OS X. Although the concepts of doing this under Linux and Windows are the same, the exact steps will be different.

Ensure your YubiKey has CCID mode enabled

Per Yubico’s site, this is usually enabled by default:

“Note that all YubiKey NEOs shipped after November 2015 come preconfigured with all modes enabled.” —

If you’re using an older YubiKey and need to enable it, you’ll want to download the YubiKey NEO Manager from Yubico’s website and run it to ensure that your YubiKey has CCID mode enabled. The link to this tool and instructions to run it are here.

Once you’re certain that CCID mode is enabled, you can move ahead with the next section.

Install GPG

The remainder of the steps in this guide use the command line interface for GPG tools. If you don’t have either GPG Tools or GnuPG installed, install one of them. If you already have one installed, you can skip on to the next section.

GPG Tools provides a nice set of GUI tools and is recommend for most users, but if you’re not afraid of the command line and have Homebrew installed on your Mac, you can install GnuPG2 using Homebrew with the following command:

brew install gnupg2

Decide if you want to require touch

YubiKey will prompt for your PIN during SSH authentication. Starting with YubiKey version 4, YubiKey can also require a touch on the sensor during authentication. Enabling this will require a touch confirmation on the touch sensor for each and every SSH connection.

If you want to enable this, it is highly recommend that you install and use the Yubikey Manager CLI using the instructions from this page. Once installed, you can enable touch using the following command:

ykman openpgp touch aut <'on'|'off'|'fixed'>

If you want more information on these specific policies, please see this page under the heading “Yubikey 4 touch”. IMPORTANT NOTE: A link to a bash script to enable touch is found on that page. Because the behavior of that script requires providing your admin key on the command line, it should be considered insecure. I highly recommend using the ykman tool instead whenever possible.

Unless you set ‘fixed’, (ON_FIXED), you can always come back and change this setting later. If you set fixed, you can’t change it until you put a new secret key onto the YubiKey.

Change the YubiKey PINs

Before continuing, it’s you should change the YubiKey PINs from their defaults if you have not already. The default PIN is 123456 and the default admin pin is 12345678.

To do this, start by running: gpg --card-edit

Once you have the card editor open, allow admin commands by running admin

Then, open the PIN change dialog with passwd

From here, set your PIN, Admin PIN, and reset code. Store these in a safe place.

Once you’ve set your PINs, you can further personalize the data on the card. Here’s the full list of commands available after running admin:

gpg/card> help
quit       quit this menu
admin      show admin commands
help       show this help
list       list all available data
name       change card holder's name
url        change URL to retrieve key
fetch      fetch the key specified in the card URL
login      change the login name
lang       change the language preferences
sex        change card holder's sex
cafpr      change a CA fingerprint
forcesig   toggle the signature force PIN flag
generate   generate new keys
passwd     menu to change or unblock the PIN
verify     verify the PIN and list all data
unblock    unblock the PIN using a Reset Code

Generate and move a GPG key to the YubiKey

If you already have a set of GPG tools installed and your own key generated and available within those tools, good on you! Run the following commands to be sure:

gpg --list-keys
gpg --list-secret-keys

If your public and secret keys do show up as expected, there’s no need to generate another key. You simply need to move your existing key to the YubiKey.

IMPORTANT NOTE: If you want to make use of the ability to revoke your key in the future, then you must generate the revocation certificate before moving the key to your YubiKey. Once you move a key to your YubiKey, it is not possible to generate a revocation certificate unless you have a full backup of the secret key somewhere and are able to re-import it to your GPG keyring.

To move your secret key from your GPG keyring to your YubiKey, go to this page and start where it says “To import the key on your YubiKey”

If you need to generate a GPG key for SSH authentication, take a look at this guide and follow one of the two methods provided.

Once your key is generated and moved to the card, you’re all set to move on to the next section.

Making it all work locally

This part requires editing just a few files to make gpg-agent work as expected.

Really important note: Starting with GnuPG 2.1, the –write-env-file is obsolete. See the GnuPG 2.1 FAQ for more informationThe following instructions have been updated with configuration information for versions both below and above GnuPG 2.1. A reader, Nick, confirms these instructions work for versions starting at 2.1, and eliminate the error message that appears regarding write-env-file being obsolete.

If any of the below configuration instructions do not work for you, I recommend that you reach out to the GnuPG mailing list for more help.

You can check your GPG version with:

gpg-agent --version

A precautionary note:

For GPG versions before 2.1, add the following to ~/.bash_profile:

[ -f ~/.gpg-agent-info ] && source ~/.gpg-agent-info
if [ -S "${GPG_AGENT_INFO%%:*}" ]; then
    export GPG_AGENT_INFO
    export SSH_AUTH_SOCK
    export SSH_AGENT_PID
    eval $( gpg-agent --daemon --write-env-file ~/.gpg-agent-info )

For GPG versions at or above 2.1, add the following to ~/.bash_profile:

gpgconf --launch gpg-agent

For GPG versions before 2.1, add the following to ~/.gnupg/gpg-agent.conf:

write-env-file ~/.gpg-agent-info
pinentry-program /usr/local/MacGPG2/libexec/

For GPG versions at or above 2.1, add the following to ~/.gnupg/gpg-agent.conf:

~/.gpg-agent-info pinentry-program /usr/local/MacGPG2/libexec/

Restart gpg-agent:

sudo killall gpg-agent
source ~/.bash_profile
source ~/.gpg-agent-info

Get your SSH public key

Use the following command to get the SSH public key that corresponds to the key installed on your YubiKey:

ssh-add -L | grep cardno

This can be installed on any server that you want to use your YubiKey-stored key to access.

, ,

Leave a comment

YubiKey NEO and OpenPGP key generation and loading on Windows

This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.

If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See my previous post to get started. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.

After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.

YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.

Generating your initial key pair

Open a command prompt and run:

gpg --expert --gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

For ‘kind of key’, select 8 (RSA: Set your own capabilities)

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection?

Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.

Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.

Take note of your 8-character key ID. You will need it for future steps.

Adding the sub-keys

You need to add two sub-keys; one for encryption, and one for authentication.

From the command line, run (where keyID is your 8-character key ID) :

gpg --expert --edit-key keyID

Now, type:


Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.

Repeat addkey one last time, and toggle abilities so you have an authentication-only key.

Then q to quit, and y to save changes.

Backing up the keys

Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:

gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID

Moving the keys to the YubiKey

Run the following command:

gpg –expert –edit-key keyID

Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.

card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:

gpg –card-status

If this comes back with data (and not an error), then run this again and continue:

gpg –expert –edit-key key-ID

Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.

Leave a comment

YubiKey NEO Quick-Start on Windows

This is a continuation of my previous post on YubiKey.

In order for the most painless “Quick Start” of YubiKey on Windows, you will need a few tools:

First, the YubiKey NEO Manager, available here, will enable you to toggle the various modes (OTP, CCID, U2F) of your YubiKey on and off. Since the YubiKey ships with only OTP mode enabled, you will need this to turn on CCID (SmartCard) and U2F (Fido) mode. This will also let you check and verify the installed apps on your NEO, once you’ve enabled CCID mode. (Important: Check the version of your OpenPGP app. If it is 1.0.9 or lower, read this security advisory and take appropriate action).

Second, the YubiKey Personalization Tool, available here, will enable you to personalize the various configuration slots of your YubiKey. There are two slots available, and slot 1 is programmed with the YubiCo OTP (or RSA key, depending). It is strongly advised not to overwrite slot 1 unless you really know what you are doing. You can program slot 2 for whatever other implementation you would like. Please note that these two slots are independent of the applets that run on the CCID side of the card. Although that may be slightly confusing, it will be clear as you use your key.

Third, the YubiKey NEO contains the YubiOATH applet for generating those familiar 6-digit OTP codes that various websites use as two-factor authentication. Your YubiKey NEO can store many of those 6 digit codes and secrets in the key itself, but it requires the YubiOATH-desktop helper app, available here. This helper app is required because OATH codes are time-based, and the YubiKey has no internal clock. Also, this requires that CCID mode is enabled.

If you have anything to contribute, please do so in the comments below, or contact me using the form. 

Leave a comment

Why good password practices are no longer optional — Part 2

In part 1 of this two-part series, I mentioned some of the fallacies and misconceptions in password practices. If you haven’t read it, I suggest you click here to read it now. In this part I’ll discuss a few methods for storing and securing your strong passwords themselves. It’s not as hard as it sounds, and there are lots of ways to do it. I’ll describe a few different approaches below and a few pros and cons of each one:

Paper and pencil (or pen)

I’m taking it back to the basics here. Write down your passwords in an address book, rolodex, or other suitable organizational booklet. However, don’t store this near your computer. There are some simple solutions that can help you think of — and remember — complex passwords, such as this idea from

ProsHelps you keep organized track of username/password and security question/answer combinations easily and inexpensively. Durable and long-lasting.

ConsCan be easily compromised. Someone who knows where your password book is can still gain access to your accounts.

A simple text file, Spreadsheet, or Database

This is one step beyond the paper  method above. Storing your passwords in a simple database can do the same as above, as well as keeping it quickly sortable and searchable. However, if someone gains access to your computer or hard drive, it can be compromised. A few examples of this are a text file, an Excel spreadsheet, or an Access database.

ProsEasier to organize, search, and update than a paper file.

ConsCan be compromised if unauthorized access to your computer occurs, such as through a trojan or virus. Can be lost, corrupted, or become outdated if backups are not made and maintained.

An encrypted text file, Spreadsheet, Database, or specialized software

An encrypted database can offer you the same ease-of-use of the electronic storage method, while providing an extra layer of protection in case someone gains access to your computer’s data. There are several software programs which are designed for encrypted password storage, such as KeePass1PasswordPassword Safe, or the Firefox extension Password Hasher (though it’s not clear if it stores its password in encrypted databases or not). Though some of these can be pricey, the peace of mind and organization they provide is often times priceless.

ProsMany of the same advantages as simple file storage while providing an additional layer of security against unauthorized access. Free software programs are available. Specialized software can also assist in generating strong passwords.

ConsJust as the encryption protects against unauthorized access, you can lose access to your database if you forget the password. Store it securely. Non-free software can be pricey.

Cloud-based, encrypted password storage

Cloud-based password storage attempts to combine the best of encrypted storage as well as worry-free backup and syncing across all your devices. Keep in mind when choosing cloud-based storage that you’re placing your trust in the availability and security of the provider. Make sure that if you choose a provider that you carefully review their encryption choices and availability of an optional 2-factor authentication method.

My personal favorite in this category is LastPass. LastPass is free to use the website and browser extension, and they offer a premium subscription which allows you to access your password vault from a mobile device for $12 per year. LastPass also includes support for 2-factor authentication via a YubiKey or Google Authenticator.

(Disclaimer: I am a LastPass premium subscriber; I have not sought nor are they offering me any compensation for mentioning them in this post.)

ProsConvenient browser-based or browser extension for access and syncing of your passwords. Can auto-fill on websites. No need to worry about backing up your password file or losing it.

Cons: If your provider is compromised or goes down you could lose access to your stored passwords.

Do you have any methods of generating, storing, or securing passwords not listed above, or anything else that wasn’t covered in the above article? Please feel free to share in the comments below. Thank you!

, ,

Leave a comment

Two-Factor Authentication for the consumer

Most of our security is provided in the forms of username/password pairs and pin numbers, depending on the resource. For example, our ATM cards are secured by a 4-digit PIN, and most of our on-line accounts are secured by username/password pairs. It’s reasonable and simple security and for most of us, it works fine. However, all too often someone gets to say that “someone found out my password” or “so-and-so knew my password and now has hacked my account” etc. Its an unfortunate shortcoming a single-factor authentication system.

What is an authentication factor?

An authentication “factor” is something you use to gain access to a website or other resource. It can be something you know (a username/password combination, a pin number, a challenge/response sequence), something you have (a key or key-card), or something you are (a photograph, fingerprint, etc). Those are each considered a single “factor” in themselves.

For those of us who have had a security breach of one sort or another, it can be hard to rely on single-factor authentication for our private accounts. For those of us who are more security-minded, we might look to a two-factor authentication method from the start to make sure our accounts are secure from the start.

What is “Two-Factor Authentication”?

Two-factor authentication combines two of the above factors to increase the security of a resource. For example, a security door to a server room may require both a keycard and a pin number. Other two-factor authentication methods involve one-time passwords, or a random number generated by a key fob held by the person.

There are several different types of two-factor authentication options available for the consumer, and they are inexpensive and easy to use.

Yubico offers a simple USB key (a “Yubikey”) that is inserted into a USB port. The Yubikey emulates a USB keyboard so it is cross-platform and cross-browser compatible. It is operated simply by touching it’s button so there’s no pin numbers to enter. The generated one-time passwords are “typed” by the key and checked against the Yubico service. Compatible sites and services include blogs (via plug-in), Drupal sites (via plug-in), the Yubico OpenID service, and LastPass password manager service. There’s likely more sites, as I wasn’t able to find a central listing. Developer services include Web APIs, OAUTH, SAML, and personalization tools. (See the Yubico Developers Intro for information).

Verisign offers a key fob, credit card sized devices, and a mobile application which generate random numbers that have to be entered during the sign-in process. Participating sites include eBay, Paypal, AOL,, Geico, just to name a few.

I personally own one of each, as well as the Aladdin eToken PASS that my employer requires — I find that I use the Yubikey gets much more use, likely due to the fact that I don’t have to key in a pin number. I also appreciate the open-source nature of the plug-in and APIs, which also encourage more sites and services to adopt the device.

I would encourage you to consider any type of two-factor system and give yourself a chance to have an extra layer of peace of mind when accessing your on-line accounts.

One last thought: If you enable one of these security options on an on-line account, it is still possible to access even if you lose the key. The process usually involves telling the service that you’ve lost the fob during the log-in process, then confirming via an email that they send you. It’s not possible for someone to arbitrarily remove the second factor without having access to your email as well. Of course, if you use the same password at every site as most people do, that completely defeats the purpose of having a two-factor system set up. Do yourself a favor and at least use a different password at each site you use.

Have you had an account “hacked” that used just a username and password? Do you use a two-factor system or are you considering one? Please share your thoughts and opinions in the comments below.

Leave a comment