SSH Security Keys (Yubikey) with GPG-Agent

Culottes · March 15, 2025, 2:57pm

I recently migrated from Arch Linux to NixOS, but I have a problem since my migration I can’t use my Yubikey with ssh. I get an error when I do ssh-add <path of ssh key of type sk> :

Could not add identity “toto”: agent refused operation

Whereas I can use it when I do ssh-keygen to create a key of type sk.

Here’s my configuration.nix :

...
  services.udev.packages = [ pkgs.yubikey-personalization ];
  services.pcscd.enable = true;
  hardware.gpgSmartcards.enable = true;

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
...

Here’s my home.nix

...
  programs.ssh = {
    enable = true;
    extraConfig = ''
      IdentitiesOnly yes
      IdentityAgent none
    '';
  };

  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    enableExtraSocket = true;
    enableScDaemon = true;
    defaultCacheTtl = 60 * 60 * 6;
    defaultCacheTtlSsh = 60 * 60 * 6;
  };

femuchsia · March 15, 2025, 7:34pm

I spent a couple weeks a long while ago trying to get gpg-agent, pinentry, and ssh working together; I didn’t have any luck :⁠‍⁠/

MatthieuB · March 15, 2025, 10:31pm

You can check if the gpg agent is correctly set for ssh:

❯ echo $SSH_AUTH_SOCK
/run/user/1000/gnupg/S.gpg-agent.ssh

This is what I have in my configuration.nix:

programs.gnupg.agent = {
  enable = true;
  enableSSHSupport = true;
};

environment.shellInit = ''
  export GPG_TTY="$(tty)"
  gpg-connect-agent /bye
  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';

I remember my team mates had an issue using Gnome, I can check with them if it’s still the case, just tell me.

Edit: if not already done you should also give ultimate trust to your key:

# import your GPG public key
gpg --import mykey.gpg

# if needed, find your key id
gpg -k --keyid-format long

# ultimate trust the key
gpg --edit-key 0xFFFFFFFFFFFFFFFF
> trust
> 5
> y
> save

# hopefully your key is there
ssh-add -L

Culottes · March 15, 2025, 11:11pm

I’ve tested your configuration, but it still doesn’t work, I get the same error

❯ echo $SSH_AUTH_SOCK
/run/user/1000/gnupg/S.gpg-agent.ssh
❯ ssh-add -L
ssh-rsa AA ... == cardno:20_694_419
❯ ssh-add toto
Enter passphrase for toto: 
Could not add identity "toto": agent refused operation

MatthieuB · March 15, 2025, 11:31pm

For what I understand ssh-add serves to add a ssh private key, but currently the private key is on the yubikey and should not be on your host. If ssh-add -L lists your key you should be able to ssh into hosts using it, did I miss something?

Culottes · March 16, 2025, 9:25am

When I do ssh-add -L, it lists my Yubikey key and not my ssh key (ed25519-sk) which uses this Yubikey key. So no, I can’t connect to the host

MatthieuB · March 16, 2025, 12:13pm

Maybe we have different setups, I use the yubikey’s GPG auth subkey for SSH.

I don’t remember well, I did it a while ago following Dr Duh guide.