Yubico Forum

We have three Yubikey 4s. I've spent the last two days trying to get them working. Are there any support options for it? I would really not want to invest any more of my time in this. I'm just trying to get it to work with Putty on Windows, something which must have been done a thousand times, and I'm extremely frustrated to spend any more of my time on it. Any guidance on this?

Thanks

Seriously, there is ZERO support? I've hired a consultant all day to try to get one user to connect. I've spent about $1,000 on making an SSH connection with this and we still have zero progress. Is there no one out there who knows how to get this working? Does Yubico just not provide support? What should I do with the Yubikeys I bought? Throw them away?

It is hard to help you without more information about what you are trying to do and what you have already tried. About the support have you try creating a support ticket here?
https://www.yubico.com/support/raise-ticket/

There are also a lot of documentation about Yubikey+SSH+Windows here:
https://developers.yubico.com/PGP/SSH_a ... ndows.html

Again, it is hard to help you without any more details.

For my own servers I don't use the PGP part of the Yubikey but are using the yubikey pam module so my login are username and password+yubikeyOTP:
https://developers.yubico.com/yubico-pam/

He did create a support case, and that's my fault on the delay. I know we have a dev in Sweden that is currently using SSH with PuTTY on Windows but unfortunately he is on holiday until next week. I am awaiting a response but I'm sure it won't be before next week. I know a few of us have tried this recently (the instructions on the dev site) without success. I will post more when I learn more.

Yes, SSH (which is not a Yubico product, along with GPG and PUTTY) has the ability of to use use public keys from a generic smartcard and there is available documentation for that all over the internet which covers this topic far better that we could do. In fact, each of those software manufacturer explains clearly how to achieve this (e.g. https://www.gnupg.org/faq/whats-new-in-2.1.html#pageant)

No one said that it is easy to understand, else everyone would be an information security expert.
This particular this use case it is covered by Yubico's documentation here: https://developers.yubico.com/PGP/SSH_a ... ndows.html which you obviously didn't read nor Google for (it is second result on Google.com).

Our support does an excellent work going beyond what they should do; however sometimes things can slip through the cracks or have delays such as in this case. If you could have just replied the support ticket asking kindly for an update, it would have saved you to hire a "consultant" for this 60 seconds configurations.

Thank you for the answer. I should have been more patient. But I do wish Yubikey would clearly update the website to let us know that it's not working or in development, as I had a few team members working an entire day this week to try to figure out how to make the instructions work. We will continue to use Yubikey for some basic usage but I hope we will soon be able to use it for SSH. Our plan is to use SSH for remote file access (SFTP), because ExpanDrive should work with gpg-agent, and that will give us a very solid security setup. For now, our one Linux user (me) can use SSH with Yubikey but I'm mainly worried about our Windows users.

Yubikey is a great idea but I hope there will be solid up-to-date instructions on using it for SSH. If I can wish, it would also be great to have an easy CA admin package of some kind, so we could use it to easily secure TLS services. I really do want the hardware security aspect but it has been a lot more effort than I had hoped for.

Our whole team absolutely did read that document, many times. We have smart staff here who have a good understanding. I have personally implemented a PKCS11 driver for a smartcard, so I'm pretty well familiar with the concepts here. If our team here isn't advanced enough to use your product, then you really have a product that is not ready for users.

That approach worked perfectly fine on Linux (gpg-agent, with enable-ssh-support). It did not work on Windows (gpg-agent with enable-putty-support). We tried it. We checked it over multiple times. We tried it on multiple computers. We read every other document we could find. It simply did not work. It still does not work. It looks to me like Putty is never sending a message to gpg-agent. Yes we did check the "use pagent" box in Putty. We got an email back from support that this is not yet working and they need to write some other driver. Are you saying it does work? What do we do at this point?

I am using this version and it works fine on Windows 8.1 & 10

Wake up gpg agent by running gpg --card-edit first for example and then start your Putty session(s). Do this after a reboot just to be sure your agent is not confused yet.

If your yubikey is set up with a separate Authentication subkey within the GPG card applet, you may have to convert this subkey into an SSH key using either the gpgkey2ssh program bundled with some gnupg2 installations on Linux or using a script provided with the monkeysphere package. Once you have the Authentication key in the correct SSH key format, append this to the authorized_keys list for the users/groups.

On the windows side, the gnupg agent needs to be running in the background either by first using the GPG applet on the card for a function (such as gpg --card-edit or --card-status) or by starting the daemon using "gpg-connect-agent /bye" in a script.

If your team still has some trouble going forward, I would be more than happy to try and compile a video on setting everything up.