Install gnupg or gpg4win
winget install --id gnupg.gnupg
a. Disable the windows builtin ssh agent
Get-Service ssh-agent | Set-Service -StartupType Disabled
Stop-Service ssh-agent
Get-Service ssh-agent
b. [OPT] Enable window's sshd
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
c. [OPT] Configure window's sshd to secure it (admin, obvs)
(Get-Content $ENV:PROGRAMDATA\ssh\sshd_config) | ForEach-Object {
$_.replace("#PasswordAuthentication yes", "PasswordAuthentication no") `
-replace("#GSSAPIAuthentication no", "GSSAPIAuthentication yes")
} | Set-Content $ENV:PROGRAMDATA\ssh\sshd_config
Restart-Service sshd
Edit/create %APPDATA%\.gnupg\gpg-agent.conf
enable-ssh-support
enable-putty-support
enable-win32-openssh-support
default-cache-ttl 600
max-cache-ttl 7200
# The ~/ is critical at the front to get replaced with $HOME, the rest of the paths must be \
extra-socket ~/.gnupg\S.gpg-agent.extra
winget install --id yubico.piv-tool
winget install --id yubico.yubikeymanagercli
winget install --id yubico.yubikeysmartcardminidriver
~/.bashrceval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")
[core]
sshCommand = 'C:\\Windows\\System32\\OpenSSH\\ssh.exe'
[user]
signingKey = '<INSERT>'
[commit]
gpgSign = true
[tag]
gpgSign = true
[gpg]
program = 'C:\\Program Files (x86)\\GnuPG\\gpg.exe'
gpg-connect-agent.exe killagent /bye
gpg-connect-agent.exe /bye
gpg -K
ssh-add -L
# Get the public key file generated previously on your client
$authorizedKeys = (ssh-add -L) -join "||"
# Generate the PowerShell to be run remote that will copy the public key file generated previously on your client to the authorized_keys file on your server
$remotePowershell = "powershell New-Item -Force -ItemType Directory -Path $env:USERPROFILE\.ssh; Add-Content -Force -Path $env:USERPROFILE\.ssh\authorized_keys -Value '$authorizedKeys'"
# Connect to your server and run the PowerShell using the $remotePowerShell variable
ssh username@domain1@contoso.com $remotePowershell
authorized_keys format$keyid = ""
$cardno = ""
(gpg --with-colons -K) | ForEach-Object {
$parts = $_ -split ":"
if (($parts[0] -contains "uid") -and $keyid) {
(gpg --export-ssh-key $keyid) + " cardno:" + $cardno + " 0x" + $keyid + " " + $parts[9]
$keyid = ""
}elseif (($parts[0] -contains "sec") -and ($parts[14] -like "D276000124010000000*")) {
$keyid = $parts[4]
$cardno = $parts[14].substring(20,8)
}
}
ssh -R'/home/sean/.gnupg/S.gpg-agent':'~/.gnupg/S.gpg-agent.extra' sean@10.169.0.27
gpg.confno-greeting
cert-digest-algo SHA512
compress-level 9
require-cross-certification
keyid-format 0xlong
with-fingerprint
with-keygrip
list-options show-policy-url show-user-notations show-sig-expire
list-options show-uid-validity
.pub files for reference in ~/.ssh/configWhile gpg --export-ssh-key <$keyid> LOOKS valid for use as a pubkey in ~/.ssh/ - the version I'm using appends openpgp:<keyid> as the comment. For IdentityFile to be able to find the yubikey, it needs to use the cardno:<$serial> format as provided by ssh-add -L:
This script will create a file labeled id_<keytype>_<cardno>_<cardserial>.pub in ~/.ssh/.
IFS=$'\n' && for line in `ssh-add -L|grep cardno`; do FILE=$(echo "$line" | cut -d' ' -f1,3| tr -s ': ' '_'); FILE="id_${FILE}.pub"; echo "$line" > ~/.ssh/$FILE ; done && unset IFS
Minimum 8 characters
ykman fido access change-pin --new-pin <PIN>
Minimum 8 characters
User PIN:
ykman openpgp access change-pin -P 123456 -n <new-PIN>
Admin PIN:
ykman openpgp access change-admin-pin -a 12345678 -n <new-admin-PIN>
Lockdown:
gpg --card-edit
uif 1 on
uif 2 on
uif 3 on
User PIN:
ykman piv access change-pin -P 123456 -n <new-PIN>
User PUK:
ykman piv access change-puk -p 12345678 -n <new-PUK>
Management Key:
ykman piv access change-management-key -m 010203040506070801020304050607080102030405060708 -n <new-MGMT> -a AES192
ykman hsmauth access change-management-key -m <MGMT-KEY> -n <new-MGMT-KEY>
ykman oath access change -n <Authentication-Key>