Am 2015-07-19 um 00:45 schrieb walt: > On Sat, 18 Jul 2015 12:21:39 +0200 > "Stefan G. Weichinger" <[email protected]> wrote: > >> >> Does anyone (aside from Diego, as I know from his blog) use Yubico >> Yubikeys with Gentoo? >> >> I am especially interested in getting it to work within Gnome, to >> authenticate ssh-sessions (using the smartcard feature of the Yubikey >> NEO). >> >> There are X howtos out there ... telling me to add udev-rules, disable >> gnome-keyring, run keychain ... etc etc >> > > What an amazing coincidence. I just listened to a podcast about an hour > ago where the process was explained in detail (even mentioning the NEO > model and smartcard in particular). Weird. > > I'm curious to know if this link actually gives you what you asked for: > > http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/ > > You can either watch (or listen to) the podcast, or scroll down the page > about one-third to see written instructions. (Instructions based on > ubuntu, not gentoo, but I'm sure you can translate :)
Thanks. Ok, didn't yet know about that piv-tool, will build it later this day and try it. The instructions there seem to be simply taken from the yubico website: https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html The howto doesn't use gpg-(sub)keys for ssh-auth, so far I followed howtos like this: https://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/ As I have an existing gpg-keyring I am cautious not to break things. So I added subkeys with 2048 bits to make them fit on the SC-part of the Neo Yubikey (my main key is 4096 bits long). This guy http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ moves on to a new main key while doing all this ... maybe I should consider this as well. All the howtos out there have in common, that the process of handling all the needed parts feels kind of unintuitive and scary. And I always wonder if I haven't missed a thing and locked myself out forever ;-) I had ssh using the (gpg-)subkey from the card already on one machine. Somehow it stopped working again and I am not sure what I screwed up. All this lead me to using keychain ( https://wiki.gentoo.org/wiki/Keychain ) ... to control agents for gpg and ssh (and cache PINs/passphrases). So I have to disable parts of the gnome-keyring (maybe the whole?) to let keychain manage that. Many moving parts included. Stefan
