YubiKey-Guide
YubiKey-Guide copied to clipboard
Forward Yubico for sudo authentication over SSH
I've been trying to forward my Yubico to perform sudo authentication without having to use the password
I've successfully performed SSH auth with Yubico on macOS 12 using ssh -A [email protected]
But when trying to get the key on the remote machine using the command ssh-keygen -D /usr/lib/x86_64-linux-gnu/libykcs11.so
I get the following error
C_GetSlotList failed: 48
cannot read public key from pkcs11
Also running ykpamcfg -2 -v
outputs Yubikey core error: no yubikey present
My local gpg-agent.conf
enable-ssh-support
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 60
max-cache-ttl 120
My local .ssh/config
Host server.com
HostName server.com
ForwardAgent yes
User user
# RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/pedrocavaleiro/.gnupg/S.gpg-agent.extra
RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/pedrocavaleiro/.gnupg/S.gpg-agent
RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh /Users/pedrocavaleiro/.gnupg/S.gpg-agent.ssh
In this case I'm not using the S.gpg-agent.extra because it locks some functionality (and yes I'm aware of the implications)
On the remote machine in the /etc/ssh/sshd_config
config file I do have the StreamLocalBindUnlink yes
line
I'm able to run gpg --card-status
and it returns my Yubico key
This question is also on ServerFault: Yubico forward over ssh
As of versions they are the following
- macOS (Local Machine)
macOS 12.4 (21F79)
ssh: OpenSSH_8.6p1, LibreSSL 3.3.6
gpg (GnuPG/MacGPG2) 2.2.34
libgcrypt 1.8.9
- Ubuntu Server (Remote Machine)
Ubuntu 22.04 LTS
Kernel: 5.15.0-40-generic
ssh: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4