Yubikey

Create new SSH key

Generates a SSH key using FIDO2, stores the key on the yubikey so we can extract it on new machines later.

sudo ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:<App name> -C "Some Comment"

Transfer ssh key to new pc

With yubikey plugged in, run ssh-keygen -K. This will copy resident keys from FIDO authenticators (the yubikey)

GitHub

To use it in for GitHub add the following to the .ssh/config:

Host github.com
  User git
  IdentityFile ~/.ssh/id_ed25519_sk_rk_GitHub

This prevents having to add the key to ssh-agent (or have ssh-agent running at all).

To test, run ssh -T git@github.com.

gnome-keyring

If the agent refuses operation it can be that gnome-keyring is running with the ssh component enabled[1]. To test, SSH_AUTH_SOCK=0 ssh -T git@github.com To solve this either:

Delete the .pub part of the key
Prevent gnome-keyring from running with ssh by adding a "Hidden=true" autostart to override the default [2].

[1] https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/101 [2] https://discussion.fedoraproject.org/t/using-yubikey-for-ssh-always-asking-for-password-gnome/75038/4

Signing

Sign commits using the same ssh key. https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

git config --global gpg.format ssh git config --global user.signingKey ~/.ssh/id_ed25519_sk_rk_GitHub git config --global commit.gpgsign true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Yubikey

Create new SSH key

Transfer ssh key to new pc

GitHub

gnome-keyring

Signing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally