diff options
| -rw-r--r-- | README.md | 31 |
1 files changed, 21 insertions, 10 deletions
@@ -12,6 +12,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d - [Prepare environment](#prepare-environment) - [Required software](#required-software) * [Debian and Ubuntu](#debian-and-ubuntu) + * [Fedora](#fedora) * [Arch](#arch) * [RHEL7](#rhel7) * [NixOS](#nixos) @@ -89,7 +90,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d # Purchase -All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). Yubico have also just released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details. +All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). In May 2021, Yubico also released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details. To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic. @@ -102,7 +103,7 @@ You will also need several small storage devices (microSD cards work well) for s To create cryptographic keys, a secure environment that can be reasonably assured to be free of adversarial control is recommended. Here is a general ranking of environments most to least likely to be compromised: 1. Daily-use operating system -1. Virtual machine on daily-use host OS (using [virt-manager](https://virt-manager.org/), VirtualBox, or VMWare) +1. Virtual machine on daily-use host OS (using [virt-manager](https://virt-manager.org/), VirtualBox, or VMware) 1. Separate hardened [Debian](https://www.debian.org/) or [OpenBSD](https://www.openbsd.org/) installation which can be dual booted 1. Live image, such as [Debian Live](https://www.debian.org/CD/live/) or [Tails](https://tails.boum.org/index.en.html) 1. Secure hardware/firmware ([Coreboot](https://www.coreboot.org/), [Intel ME removed](https://github.com/corna/me_cleaner)) @@ -243,6 +244,15 @@ $ sudo service pcscd start $ ~/.local/bin/ykman openpgp info ``` +## Fedora +```console +$ sudo dnf install wget +$ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-34-2.noarch.rpm +$ sudo rpm -Uvh rpmsphere-release*rpm + +$ sudo dnf install gnupg2 dirmngr cryptsetup gnupg2-smime pcsc-tools opensc pcsc-lite secure-delete pgp-tools yubikey-personalization-gui +``` + ## Arch ```console @@ -363,13 +373,12 @@ If you have a hardware device other than the CPU based one, install the accompan OneRNG specific example: ``` -$ sudo apt -y install python-gnupg -$ wget https://github.com/OneRNG/onerng.github.io/raw/master/sw/onerng_3.6-1_all.deb +$ wget https://github.com/OneRNG/onerng.github.io/raw/master/sw/onerng_3.7-1_all.deb -$ sha256sum onerng_3.6-1_all.deb -a9ccf7b04ee317dbfc91518542301e2d60ebe205d38e80563f29aac7cd845ccb onerng_3.6-1_all.deb +$ sha256sum onerng_3.7-1_all.deb +b7cda2fe07dce219a95dfeabeb5ee0f662f64ba1474f6b9dddacc3e8734d8f57 onerng_3.7-1_all.deb -$ sudo dpkg -i onerng_3.6-1_all.deb +$ sudo dpkg -i onerng_3.7-1_all.deb $ echo "HRNGDEVICE=/dev/ttyACM0" | sudo tee /etc/default/rng-tools ``` @@ -1355,7 +1364,7 @@ Your selection? q The number of retry attempts can be changed with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries): ```bash -ykman openpgp access set-retries 5 5 5 +ykman openpgp set-pin-retries 5 5 5 ``` ## Set information @@ -2395,7 +2404,7 @@ Create `$HOME/Library/LaunchAgents/gnupg.gpg-agent.plist` with the following con ``` ```console -launchctl load gnupg.gpg-agent.plist +launchctl load $HOME/Library/LaunchAgents/gnupg.gpg-agent.plist ``` Create `$HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist` with the following contens: @@ -2420,7 +2429,7 @@ Create `$HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist` with the follo ``` ```console -launchctl load gnupg.gpg-agent-symlink.plist +launchctl load $HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist ``` You will need to either reboot, or log out and log back in, in order to activate these changes. @@ -2718,6 +2727,8 @@ Before you unmount your backup, ask yourself if you should make another one just - If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - edit `~/.gnupg/gpg-agent.conf` to set a valid `pinentry` program path, e.g. `pinentry-program /usr/local/bin/pinentry-mac` on macOS. +- If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - it is a [known issue](https://bbs.archlinux.org/viewtopic.php?id=274571) that openssh 8.9p1 and higher has issues with YubiKey. Adding `KexAlgorithms -sntrup761x25519-sha512@openssh.com` to `/etc/ssh/ssh_config` often resolves the issue. + - If you receive the error, `The agent has no identities` from `ssh-add -L`, make sure you have installed and started `scdaemon`. - If you receive the error, `Error connecting to agent: No such file or directory` from `ssh-add -L`, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try `export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"`. Also see that `gpgconf --list-dirs agent-ssh-socket` is returning single path, to existing `S.gpg-agent.ssh` socket. |