diff options
author | James Wu <james@analogist.net> | 2018-03-14 11:50:04 -0700 |
---|---|---|
committer | James Wu <james@analogist.net> | 2018-03-14 11:50:04 -0700 |
commit | 79dac3ec7d53530564c701939b4b45c12000eb0d (patch) | |
tree | 6530d7d1536471155ba3d2d4fe53baa6e4933ce2 | |
parent | Merge pull request #54 from W1lkins/hopenpgp-tools-macos (diff) | |
download | YubiKey-Guide-79dac3ec7d53530564c701939b4b45c12000eb0d.tar.gz |
add explicit public key naming for IdentitiesOnly usage
-rw-r--r-- | README.md | 16 |
1 files changed, 15 insertions, 1 deletions
@@ -1167,7 +1167,6 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" gpg-connect-agent updatestartuptty /bye ``` - ### Copy public key to server There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file: @@ -1175,6 +1174,21 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden $ ssh-add -L ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211 +#### (Optional) Save public key for identity file configuration + +If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis. + +In the case of Yubikey usage, you do not have access to the private key, and `identity_file` can be pointed to the public key (`.pub`). + + $ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub + +Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows: + + $ cat << EOF >> ~/.ssh/config + Host github.com + IdentityFile ~/.ssh/id_rsa_yubikey.pub + EOF + ### Connect with public key authentication $ ssh git@github.com -vvv |