DEV Community: Jaroslav Živný

The ultimate guide to Yubikey on WSL2 [Part 4]

Jaroslav Živný — Mon, 08 Mar 2021 15:23:19 +0000

If you haven’t setup GPG on Yubikey or you cannot access YubiKey from within WSL. Please check previous parts (1, 2) of this series.

Disclaimer I: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.

Managing secrets in WSL with Yubikey

Everybody knows the pain with managing secrets. Let’s imagine, you want to access DB or curl an endpoint with base auth.

Most of the people are copying the secrets from their own Secrets Managers (the real ones or plain text files) and placing them to the terminal or exporting them as an environment variable. Simply something like this:

$ curl -u myusername http://example.com
password: <placing-password-here>
$ mysql –umyusername –p
password: <placing-password-here>

There is actually a better way to approach this. Unix systems provides pass as a standard secrets manager and WSL is no exception.

Pass stores your secrets in files which are encrypted by your GPG key.

In case pass is not installed on your WSL distro, run: sudo apt install pass

Since we have already set up our GPG key with Yubikey. We can use it to encrypt and decrypt our secrets in pass.

Initializing pass store

For this we will need ID of our GPG key. You can get it via gpg --list-keys

Copy this key over and init the pass storage via

$ pass init YOUR_KEY_ID # In my case 1E9...

Adding secrets to pass

Let’s take a look at example using mysql password. Let’s create a secret named mysql-pass

$ pass add mysql-pass

Now paste the password two times and that’s it.

Getting the secret value

Perfect, you created your first secret. Now let’s take a look how to reveal the value and how to use it in commands.

Assuming you have connected your Yubikey, you can get the value via

$ pass mysql-pass

It’ll promt you to enter your PIN.

After unlocking your card, pass will print you the secret.

When you want to use the secret directly in the commands you can simply use subcommands. Let’s take a look at our mysql example

$ mysql –umyusername –p$(pass mysql-pass)

Other useful commands

Here I’m listing just a bunch of other commands which I found useful.

$ pass
# Will show list of all secret names
$ pass rm <secret-name>
# Will delete your secret
$ pass generate <secret-name>
# Will generate a random secret for you and store it

What can be usefull for teams is an ability to share the encrypted pass files over GIT using pass git ...

More info can be found here.

The ultimate guide to Yubikey on WSL2 [Part 3]

Jaroslav Živný — Tue, 16 Feb 2021 10:11:03 +0000

If you haven’t setup GPG on Yubikey or you cannot access YubiKey from within WSL. Please check previous parts (1, 2) of this series.

Disclaimer I: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.

Disclaimer II: I’m going to use Github in this tutorial, but process of setup for other major GIT servers (GitLab, Bitbucket, …) are pretty much the same.

Let’s continue where we left off in part 2.

Authenticate against Git server via GPG

In order to authenticate against GIT server we need a public ssh key. We connected WSL’s ssh agent in the 2nd part of this tutorial to GPG key over socket. So now we can use the public key from there.

Get SSH public key:

# WSL2
$ ssh-add -L

Take the output and paste it to GitHub settings -> SSH and GPG Keys -> New SSH Key.

When you now try to pull or push from remote GIT repository, there will show up a modal requesting your GPG PIN on your screen.

Signing git commits with GPG

1 - Configure Git by

# WSL2
git config --global user.signingkey YOUR_KEY_ID # In my case 1E9...
git config --global gpg.program gpg
git config --global commit.gpgsign true

2 - Export Public Key

# WSL2
gpg --armor --export YOUR_KEY_ID # In my case 1E9...

3 - Put this public GPG key to GitHub Setting -> SSH and GPG keys -> New GPG Key. In case you’re using GitLab, Bitbucket or other Git servers, there is a similar way to configure GPG Key.

Now when you create a new commit, there will show up a dialog requesting your PIN on your screen.

In case you’re using verified Email address (in Github) for the GPG key and you configured the same address in Git git config --global user.email. You should be able to see Verified badge next to your commit.

The ultimate guide to Yubikey on WSL2 [Part 2]

Jaroslav Živný — Tue, 16 Feb 2021 10:10:35 +0000

In the Previous part we configured OpenGPG with Yubikey. In case you have it done, we can continue on how to access your YubiKey in WSL2.

Disclaimer: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.

Access your YubiKey in WSL2

Prerequisites

Install socat and wsl2-ssh-pageant in WSL:

# WSL2
$ sudo apt install socat scdaemon
$ mkdir ~/.ssh
$ wget https://github.com/BlackReloaded/wsl2-ssh-pageant/releases/download/v1.4.0/wsl2-ssh-pageant.exe -O ~/.ssh/wsl2-ssh-pageant.exe
$ chmod +x ~/.ssh/wsl2-ssh-pageant.exe

Sync sockets

This part is inspired by this tutorial.

Edit your ~/.bashrc or ~/.zshrc - depends on your shell (e.g. via nano or vim) and add following content:

config_path="C\:/Users/<YOUR_USER>/AppData/Local/gnupg"
wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
# SSH Socket
# Removing Linux SSH socket and replacing it by link to wsl2-ssh-pageant socket
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
  rm -f "$SSH_AUTH_SOCK"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
fi
# GPG Socket
# Removing Linux GPG Agent socket and replacing it by link to wsl2-ssh-pageant GPG socket
export GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
  rm -rf "$GPG_AGENT_SOCK"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --gpgConfigBasepath ${config_path} --gpg S.gpg-agent" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
fi

Restart WSL by running

# CMD
wsl.exe --shutdown

When you open Ubuntu Terminal now and run gpg --card-status you should be able to see something like this:

Import GPG key to WSL2

If you check GPG keys availible in WSL2 via gpg --list-keys or gpg --list-secret-keys you get empty results. We have to first import them. It’s quite easy just run:

# WSL2
$ gpg --card-edit

This will open gpg command interface. Just type in fetch. It’ll get you public keys from keys.openpgp.org (we uploaded them there in the previous part

In case you haven’t uploaded the public keys to keys.openpgp.org (as shown in the part 1 of this tutorial). You can import it via asc file (exported in part 1) via:

gpg --import PATH_TO_ASC_FILE

Exit the gpg command interface via quit

If you now run gpg --list-keys you finally get your keys.

Great success!

Now we are missing one small step. As you can see. The trustworthiness of our certificate is unknown (information next to the name). We can change it via running:

# WSL2
$ gpg --edit-key YOUR_KEY_ID # In my case 1E9...

This opens gpg console insterface. Write:

# WSL2
trust # Change trust level
5     # Set trust level to ultimate
save  # Save the changes

If you list keys via gpg --list-keys now. You should be able to see [ultimate] next to your name.

Additional Tips

Yubikey stopped working on WSL

Unplug Yubikey
Shutdown wsl wsl --shutdown
Shutdown Kleopatra in Task manager
Shutdown wsl2-ssh-pageant in Task manager
Start Kleopatra
Start wsl - open a new window
Plug in the Yubikey

Getting "error: Couldn't load public key XXX No such file or directory?"

Unset gpg.format via

git config - global - unset gpg.format

We’ll continue in the part 3.

The ultimate guide to Yubikey on WSL2 [Part 1]

Jaroslav Živný — Tue, 16 Feb 2021 10:08:51 +0000

There are already a few tutorials on the Internet with topic "how to make Yubikey work on WSL". But when I followed them I had to do a lot of troubleshooting anyway. Therefore I decided to write down a complete guide to the setup (up to date in 2021).

We are going to go through a couple of use cases:

Setup OpenGPG with Yubikey
Access your YubiKey in WSL2
Authenticate against Git server via GPG & Signing git commits with GPG

Other parts will be added in the future

Setup of Yubikey and connect it with WSL2

In this part we are going to take a look on how to get Yubikey connected to WSL2. Because WSL does not have access to USB devices, we have to make it connect to our Windows host and then forward the connection to WSL.

First, we are going to need a YubiKey that supports OpenPGP (Security Key Series or YubiKey FIPS Series are not sufficient)

Prerequisites

To make our Smart key work with windows we are going to need GnuPG and Putty. You can either download it here:
GnuPG install it with Kleopatra
Putty

or get it via chocolate:

# CMD
choco install gnupg putty.install

Configure GnuPG

# CMD
mkdir %HOMEPATH%\AppData\Roaming\gnupg
echo enable-putty-support◙enable-ssh-support > %HOMEPATH%\AppData\Roaming\gnupg\gpg-agent.conf

You can connect your Yubikey now. Open Kleopatra (you have to open it from system tray) and go to Smartcards.

If you don't see your Yubikey go to Settings -> Configure Kleopatra -> GnuPG System -> Smartcards and set Connect to reader at port N to Yubico YubiKey OTP+FIDO+CCID 0. Save it, reconnect Yubikey and restart Kleopatra. Now you should be able to see it.
You can also verify it in CMD via: gpg --card-status

Setting up a new YubiKey

In case you already have an OpenPGP key on your YubiKey, please skip this part and go directly to part 2.

I personaly found generating the keys in Kleipatra GUI the most straightforward. Although it doesn't give you that many configuration possibilities.

If you're setting up Your Yubikey for the first time, don't forgot to change your PIN and Admin PIN. Both operations can be done in Kleopatra -> Smartcards -> Change PIN and Change Admin PIN. Default PINs can be found here.

1 - Generate GPG keys

In Kleopatra -> Smartcards click at Generate New Keys. A dialog will pop up. Enter your name, email and as algorithm choose the highest available.

Now enter your PIN, then your Admin PIN (pay attention to what the modal window wants) - it's going to need your PIN several times. In case you encounter with an issue, you can always reset your YubiKey. At the end enter password for the GPG key.

In case you're more comfortable with terminal interface, please use this official tutorial. Just make sure, you are generating keys and/or subkeys for Signing, Encryption and Authorization.

Now you should be able to see your keys.

2 - Export your public key

In Kleopatra go to Cartificates -> Right click at your newly created certificate and choose Export. This will save your public key to an asc file

3 - Publish your public key

This step is not necessary, but I found it helpful when using GPG key in real life.

Go to keys.openpgp.org, choose your public key and click Upload.

Click Send Verification Email, check your e-mail Inbox (or Spam) folder and click the verification link.

To get link to your published Public key go to keys.openpgp.org, search for your email and copy the URL it shows.

YubiKey has a nice handy space for storing this URL. Go to Kleopatra -> Smartkeys -> Publickey URL and edit it.

In case you don't see your keys or card in WSL after restart of your PC. Please start Kleopatra first and then restart wsl via wsl - shutdown

Additional Tips

Autostart Kleopatra on Windows Logon

The easiest way to achieve it is via "Task Schduler"

Action -> Create a Basic Task
Trigger: "When I log on"
Action: Start a program
Program/Script: Path to kleopatra.exe (should be "C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe")

Import Yubikey to a new machine

When you insert your Yubikey it should be visible in "Smartcards" section. If you don't see it follow Configure GnuPG section.

Click the Publickey URL - this will download your public key
Click Import in kleopatra menu and point to the downloaded file

After that you should be able to continue to part 2 of this tutorial

We'll continue in the part 2.