This tutorial will guide you to confgure YubiKey so it can be used with SSH under WSL. We will use YubiKey as a PIV Compatible Smart Card. Note that YubiKey also has other modes that can be used for secure SHH access like GPG that are not covered in this tutorial.
- Fresh YubiKey 5
- Yubico software from https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/
- YubiKey Manager (graphic interface) - it also installs
ykman.exe - YubiKey Smart Card Minidriver (Windows) - it is required to get ECDSA instead of default RSA
- YubiKey Manager (graphic interface) - it also installs
- WinCrypt SSH Agent from https://github.com/buptczq/WinCryptSSHAgent
- Console (ie.
cmd.exeor Windows Terminal)
You can check with Device Manager (devmgmt.msc) that the system recognized your key. It will be listed under Smart Cards as YubiKey Smart Card Minidriver.
Execute following commands, provide new PIN and PUK when prompted:
"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv access set-retries 5 10"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv access change-pin --pin 123456"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv access change-puk --puk 12345678"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv access change-management-key --generate --protect --touch
This will give you a YubiKey with PIN and PUK that is only known to you and requires touch to change keys on it.
-
"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv keys generate --algorithm ECCP384 --format PEM --pin-policy ONCE --touch-policy ALWAYS 9a "%UserProfile%\Desktop\%username%_public_key.pem"Command generates private key inside of YubiKey. It is not possible to extract it so it is very secure. Also it requires a touch every time it is used for authentication.
-
"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv certificates generate --valid-days 365 --subject "SSH Key" 9a "%UserProfile%\Desktop\%username%_public_key.pem"Command generates a certificate from your public key. In brief: Windows needs it when speaking to your YubiKey.
- Unplug your YubiKey.
- Plug your YubiKey back.
- Run Certificate Manager Tool (
certmgr.msc) and in Certificates - Current User \ Personal \ Certificates your certificate named SSH key should be visible.
NOTE: Please make sure Allow ECC certificates to be used for logon and authentication in Group Policy Editor (gpedit.msc) > Computer Configuration > Administrative Templates > Windows Components > Smart Card is enabled.
NOTE#2: You should also install the YubiKey Smart Card Minidriver if you want to work with ECC algorithm certificates.
-
Ensure that
WinCryptSSHAgent.exeis running. -
Run your WSL console and execute the command
which socatto check ifsocatis present.Some WSL Linux distros don't include
socatby default, such as Ubuntu 20.04a) If
socatis not installed, install it before continuing. (Debian/Ubuntu example:sudo apt install -y socat) -
Right click on WinCrypt SSH Agent's icon in tray and select Show WSL settings (or Show WSL2 / Linux On Hyper-V Settings if using WSL2 and/or Hyper-V) then press OK.
Line like
export SSH_AUTH_SOCK=/mnt/c/Users/Jane/wincrypt-wsl.sockwill be copeid into your clipboard for WSL.For WSL2 / Hyper-V, lines like this will be copied into your clipboard:
export SSH_AUTH_SOCK=/tmp/wincrypt-hv.sock ss -lnx | grep -q $SSH_AUTH_SOCK if [ $? -ne 0 ]; then rm -f $SSH_AUTH_SOCK (setsid nohup socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork SOCKET-CONNECT:40:0:x0000x33332222x02000000x00000000 >/dev/null 2>&1) fi -
Run your WSL console and execute command from previous step.
-
sshinto your target machine, authenticate with credentials used until now. -
Right click on WinCrypt SSH Agent's icon in tray and select Show public keys settings then press OK.
All known keys in SSH format will be copied. You need to locate one named SSH key.
-
Copy line with SSH key into
~\.ssh\authorized_keyson target machine. -
Disconnect from target machine.
sshinto your machine.- Provide PIN when Windows asks.
- Touch YubiKey twice (it should be blinking).
- You should be allowed into your target machine. Enjoy! 🚀