YubiKey-Guide
YubiKey-Guide copied to clipboard
drduh
Getting stubs onto remote machine
On my desktop I have my Yubikey plugged in and I can use it as expected.
I also regularly SSH into my laptop (on which I've previously used my Yubikey directly). I have my GPG agent forwarded (forwarding S.gpg-agent.extra) and can use the key this way, and I can see the fingerprints of the subkeys when listing my secret keys. I can also use my key on this machine, again as expected.
Now I'm setting up forwarding to another machine (to which my Yubikey has never been directly connected) and I'm running into some issues. I can import my public key just fine (either through keyservers or through export/import), but it doesn't know about any of my private keys, and subsequently doesn't let me use any of them.
I've done a bit of digging and figured out that my working machines have stubs for the private keys, which tell GPG that these keys exist and what smartcard to find them on. Without those stubs GPG has no idea that your smartcard has keys that can be used for anything, let alone what keys those are. Okay, so far so good. I've also found that running gpg --card-status will automatically create stubs for the connected cards (which is probably how my working machines got these stubs).
However, you cannot perform this command over the extra socket, so I cannot use this method to get the stubs onto my new machine. I figured I'd export the secret keys on one of my working machines (gpg --armor --output private-stubs.asc --export-secret-keys ID) and import them on the new machine (gpg --import private-stubs.asc). This successfully imports my public key but doesn't seem to actually import the secret keys, even though the output suggests it has.
gpg: sec rsa4096/28094744BA81C6A9 2021-03-24 Michon van Dooren <[email protected]>
gpg: key 28094744BA81C6A9: "Michon van Dooren <[email protected]>" not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 28094744BA81C6A9: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
Running the above command with enough verbosity will also list the secret subkeys (with gnu-divert-to-card as expected) confirming that they are in the export, but listing the secret keys afterwards shows that they were not actually imported.
And that's where I get stuck. Sure, I could probably fix it by forwarding the regular socket once to run the card-status command, but I feel that shouldn't be required. I also don't quite get why the export/import flow doesn't seem to work.
Any ideas for how to resolve this issue? Did I miss something in the guide? If not, is this perhaps something to address in the guide?
(As an aside, do these stubs even contain anything sensitive? They are called secret keys but from my understanding they really just contain information about the fingerprint of the secret key (which isn't useful by itself AFAIK, though it might not normally be public) and the serial number of the Yubikey (which is also not normally public but also seems like useless information without the device itself). Would it (assuming they can be imported) be fine for me to store these stubs with my dotfiles for easy setup or would this be a bad idea?)
Working with my keys is a once in a year or two endeavor so am a little rusty until the brain reboots and haven't attempted to forward to multiple machines in a chain for a long time... so this might not be accurate or help with the forwarding challenge.
Have you looked at using --export-secret-subkeys instead of --export-secret-keys then when you import the stub it'll indicate sec# in place of the Master Certification Key
sec# ed25519/6
ssb> ed25519/C
ssb> cv25519/C
ssb> ed25519/A
It did not, unfortunately. Both --export-secret-keys and --export-secret-subkeys seem to result in the exact same file.
@codemonkee mentioned multiple machines in a chain. Just to clarify, this is not what I'm trying to do, I am connecting from my desktop (which has the yubikey plugged in) to the new machine (which I am trying to get these stubs into). My laptop was just an example of a remote machine that does work (since I've had the key plugged into it directly), but it is not part of a forwarding chain. (I don't think it would make much of a difference wrt the issue I'm having, but still.)
Closing to inactivity. Please reopen or suggest changes in a PR if you figure this out.