How to use YubiKey through GnuPG on remote server?

GnuPG does not make use of any tokens generated by the Yubikey, but the stick implements the OpenPGP smart card protocol instead. The keys are stored on the YubiKey, which performs all public/private key cryptographic operations. The special protection is based on the fact that the keys never can leave the YubiKey, so an attacker could at most make use of the key (temporarily, as long as he has access to the unlocked stick), but not completely get hold of it.

GnuPG has a feature called agent forwarding. It mostly boils down to configure gpg-agent to provide a special, extra socket only used for specific operations:

extra-socket /home/<user>/.gnupg/S.gpg-agent.extra

Then, configure SSH to forward all communication on the socket to the remote server:

RemoteForward /home/<user>/.gnupg/S.gpg-agent /home/<user>/.gnupg/S.gpg-agent.extra

More explanation including some hints on nitpicks is available in the wiki page linked above.


In new versions of GnuPG or Linux distributions the paths of the sockets can change. These can be found out via

$ gpgconf --list-dirs agent-extra-socket

and

$ gpgconf --list-dirs agent-socket

Then add these paths to your SSH configuration:

Host remote
  RemoteForward <remote socket> <local socket>

Quick solution for copying the public keys:

scp .gnupg/pubring.kbx remote:~/.gnupg/

On the remote machine, activate GPG agent:

echo use-agent >> ~/.gnupg/gpg.conf

On the remote machine, also modify the SSH server configuration and add this parameter (/etc/ssh/sshd_config):

StreamLocalBindUnlink yes

Restart SSH server, reconnect to the remote machine - then it should work.

A more detailed tutorial including some troubleshooting can be found in a blog post by Matthias Lohr.