Windows GPG Yubikey

Configure Yubikey for SSH authentication on windows.

Required Materials

  1. gpg4win downloaded. Verify Integrity.

  2. Yubikey manager installed. Only required if you are changing keypress and NFC settings.

  3. Putty installed.

  4. Pre-configured Yubikey using Export GPG Subkeys to Yubikey.

Configure GPG4win

This will provide GPG interactions as well as an agent to provide key material to putty, winscp, etc.

The system path is modified using the system preferences control panel plugin to enable gpg use anywhere on the system.

Download gpg4win and verify integrity.

Add gpg to user system path

GPG path should be added to end of list.

⌘ › sysdm.cpl › Advanced › Environment Variables › User variables for {USER} › Path › Edit › New

Path

c:\Program Files (x86)\GnuPG\bin

Updated: 2021-02-19

Configure GPG Agent

This will enable SSH and Putty usage with the gpg-agent.

%appdata%\gnupg\scdaemon.conf
 reader-port Yubico YubiKey OTP+FIDO+CCID 0

Note

Yubico YubiKey OTP+FIDO+CCID 0 is the device name as listed in Device

Manager. This prevents Windows Hello from attempting to act as an pagent device (resulting in no key found errors).

start › Device Manager › View › Show Hidden Devices start › Device Manager › Software Devices

The name to use will be the full Yubikey device name.

%appdata%\gnupg\gpg-agent.conf
enable-ssh-support
enable-putty-support
Restart GPG Agent and Connect Agent to apply configuration changes (powershell).
gpgconf --kill gpg-agent
"c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye

Configure Putty

Configure a host in putty and ensure the following options are set:

Use pageant for Putty Auth

Putty › Connection › SSH › Auth

Attempt authentication using Pageant

Private key file for authentication

Updated: None

Be sure to save your configuration changes.

Verify Putty Works

Ensure Yubikey is readable by GPG. This assumes you already setup:

  1. ~/.ssh/authorized_keys on the target machine with your exported GPG SSH RSA Public Key; see Export GPG Keys. Reference SSH for remote SSH configuration.

  2. Trusted the GPG Master Public Key on the local machine; see Import GPG Master Public Key.

  1. Connect with putty as normal.

  2. A Pin Entry pop-up window should appear. It may not be in focus. Enter your user PIN and press OK.

    ../../../_images/pinentry.png

  3. There will be no prompt in putty, but the Yubikey will start blinking. Tap Your Key to login.

Note

  • Number is the Yubikey serial number.

  • Holder is the First/Last name of the GPG certificate on the key.

  • Your key will blink when waiting for password or touch.

  • Both publickey and GPG can be used in the same system at the same time for different connections. No specific configuration is needed.

Run GPG Agent on Login

Scheduled Tasks are inconsistently applied and therefore you will run into issues if you depend on the scheduled tasks to always run at login to refresh your GPG agent. This is compounded by GPG agent occasionally hanging and needing to be force restarted. This is remedied by triggering GPG agent refresh on screen unlock events, ensuring that the agent is always ready.

See full instructions here: Scheduled Tasks Inconsistencies; or just follow these.

  1. Enable Logon/Logoff Events.

  2. Manually Adding Event Triggered Scheduled Task.

Forward GPG Agent Through Multiple Servers

This is effectively using a single server as an SSH Bastion and SSH’ing to additional machines through the bastion. This keeps your private credentials on your local machine, however, while the connection is active it is possible for other to use them as you while you are connected; so a secured and monitored system should be used. Machines are referred to as putty for your client machine, bastion for the machine you will be SSH’ing through and target for remote SSH targets.

../../../_images/bastion.png
Enable GPG Agent Forwarding in Putty

Putty › Connection › SSH › Auth

Allow agent forwarding

Updated: None

0644 root root /etc/ssh/sshd_config on Bastion.
StreamLocalBindUnlink yes
AllowAgentForwarding yes

Note

  • The exported GPG SSH RSA public key should be added to ~/.ssh/authorized_keys file for the connecting user. See: Export GPG Keys.

  • This will allow you to forward your credentials again to the next server.

  • Removes current socket file for forwarding before creating a new one.

Confirm new settings are loaded on Bastion.
sshd -T | grep -i allowagent
0644 root root /etc/ssh/sshd_config on Target.
AllowAgentForwarding no

Note

  • Target does not need to enable outbound agent forwarding for this to work.

  • The exported GPG SSH RSA public key should be added to ~/.ssh/authorized_keys file for the connecting user. See: Export GPG Keys.

References

  1. Yubikey SSH authentication on windows

  2. GPG key for SSH authentication

  3. Using GPG with Yubikey and WSL

  4. Yubikey

  5. Yubikey SSH

  6. Forwarding GPG key with SSH