Estou usando meu RSA key para acessar alguns servidores via SSH e gostaria de movê-lo para meu novo yubikey e continuar usando-o. Eu tinha importado com sucesso a chave para gpg seguindo os conselhos de ESTE postar, mas quando eu tento copiá-lo para o yubikey eu recebo:
KEYTOCARD failed: Invalid value
Uma chave de autenticação criada dentro do gpg CLI pode ser copiada sem problemas. O suporte do Yubikey parou quando a nova chave funcionou.
PINs e senha estão corretos.
Abaixo, os passos que eu segui.
Etapa 1: convertido e importado a chave como ID do usuário temporário
# pem2openpgp tempuser < .ssh/id_rsa | gpg2 --import
Enter PEM pass phrase:
gpg: key XXXFA4DCXXXX5B7D: public key "tempuser" imported
gpg: key XXXFA4DCXXXX5B7D: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
# gpg -K
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2018-09-13 [C]
XXXED629A83E18F440BC5E41B38FA4DCXXXX5B7D
uid [ unknown] tempuser
Passo 2: keygrip obtido
# gpg -K --with-keygrip
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2018-09-13 [C]
XXXED629A83E18F440BC5E41B38FA4DCXXXX5B7D
Keygrip = XXX7BE371DA914F0C5EA1B7CE771BED9XXXX6765
uid [ unknown] tempuser
Etapa 3: crie uma nova chave primária com ID de usuário real (RSA e RSA, todas as 4096 etapas padrão, não colando)
Etapa 4: copiou a chave importada para o ID do usuário real:
# gpg --expert --edit-key XXXECE1D
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/XXX69270XXXECE1D
created: 2018-09-13 expires: 2019-09-13 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/XXXF43BDXXXDDF09
created: 2018-09-13 expires: 2019-09-13 usage: E
[ultimate] (1). Name Surname <[email protected]>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
...
(13) Existing key
Your selection? 13
Enter the keygrip: XXX7BE371DA914F0C5EA1B7CE771BED9XXXX6765
Etapa 5: cancelar a assinatura, criptografar e definir os recursos de Autenticação
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
...
Your selection? e
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
...
Your selection? a
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
...
Your selection? q
Passo 6: copie a chave primária para o yubikey
gpg> toggle
sec rsa4096/75E6927XXXXECE1D
created: 2018-09-13 expires: 2019-09-13 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/739F43BDXXXXDF09
created: 2018-09-13 expires: 2019-09-13 usage: E
ssb rsa4096/4B55419XXXXA0477
created: 2018-09-13 expires: 2019-09-13 usage: A
ssb rsa4096/CFDC507XXXX1F4CE
created: 2018-09-13 expires: 2019-09-13 usage: S
[ultimate] (1). Name Surname <[email protected]>
gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
Etapa 7: mova a chave SSH importada para yubikey - aqui obtenho o problema
gpg> key 2
sec rsa4096/75E6927XXXXECE1D
created: 2018-09-13 expires: 2019-09-13 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/739F43BXXXXDDF09
created: 2018-09-13 expires: 2019-09-13 usage: E
ssb* rsa4096/4B55419XXXXA0477
created: 2018-09-13 expires: never usage: A
ssb rsa4096/CFDC507XXXX1F4CE
created: 2018-09-13 expires: 2019-09-13 usage: S
[ultimate] (1). Name Surname <[email protected]>
gpg> keytocard
Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg: KEYTOCARD failed: Invalid value