0

I use Yubikey to connect to multiple servers. I am doing this under windows and this works perfectly fine with my sshconfig in the .ssh directory.

Now I have a case where I need to run some things under linux and connect to the same servers also using the YubiKey. So I installed WSL (Ubuntu) and copied my config and keys from my Windows SSH config to the WSL environment. SSH generally works fine when connection to a server thats only using a password or only a key file without YubiKey.

But every connection that requires the YubiKey fails with the following error (changed IPs and names for obvious reasons):

Confirm user presence for key ED25519-SK SHA256:BnVjcbhrBbURNA7KSkTI22C0Z9/6avSGpC72GbIvOJw
sign_and_send_pubkey: signing failed for ED25519-SK "/home/kgr/.ssh/keys/admin@server": device not found
[email protected]: Permission denied (publickey).

Sadly I could not find anything regarding the "device not found" that occurs here.

Any hints on what could causing this or are there some special steps that are required for WSL to use the YubiKey correctly?

EDIT: I forgot somethin to mention, since it made no difference:

I followed the article on https://levelup.gitconnected.com/how-to-use-a-yubikey-in-wsl2-linux-on-windows-96f176518583 but without success. Once I try to use any gpg commands in WSL, it says no such device, while it works in windows.

I also found comments online that the .bashrc entry has to point to the config in AppDataLocal since Gpg4win Version 4. But I also tried that and it made no difference.

EDIT2: after some helpful comments I could see my card with gpg --card-status in WSL. Anyhow the ssh connection still fails with the same error. One thing I noticed when running gpg --card-status is that the "Version" entry shows "0". Not sure how relevant this. Since currently everything seems to work but ssh fails, I am bit clueless.

Improve this question
2
  • Can you try running lsusb to get a list of all usb devices installed, and usb-devices to get more details. You may be able to install usbview and get even more details. I am guessing that your WSL Environment has not correctly installed your Yubikey. This is should at least tell us if I am on the right track or not.
    – Netspud2K
    Commented Mar 15, 2023 at 9:23
  • both commands, run as root or not, return nothing. Maybe this is normal in WSL?
    – Hakairo
    Commented Mar 15, 2023 at 10:03

1 Answer 1

Reset to default
0

The article How to Use a Yubikey in WSL2 (Linux) on Windows contains the required WSL2 setup.

Installation of required packages :

sudo apt update
sudo apt upgrade
sudo apt install socat iproute2
mkdir ~/.ssh
wget https://github.com/BlackReloaded/wsl2-ssh-pageant/releases/latest/download/wsl2-ssh-pageant.exe -O ~/.ssh/wsl2-ssh-pageant.exe
chmod +x ~/.ssh/wsl2-ssh-pageant.exe

Append the following to your ~/.bashrc file:

# SSH Socket
# Removing Linux SSH socket and replacing it by link to wsl2-ssh pageant socketexport SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
  rm -f "$SSH_AUTH_SOCK"
  wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
  unset wsl2_ssh_pageant_bin
fi# GPG Socket
# Removing Linux GPG Agent socket and replacing it by link to wsl2-ssh-pageant GPG socketexport GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
  rm -rf "$GPG_AGENT_SOCK"
  wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --gpg S.gpg-agent" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
  unset wsl2_ssh_pageant_bin
fi

Now restart WSL2:

wsl.exe --shutdown

To test the access to your YubiKey in WSL2 try gpg --card-status to get info about your yubikey.

To change key trustworthiness to ultimate :

$ gpg --edit-key 1CA87B39873495770098080098336BC4E5C445AB
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menuYour decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit

If you now run gpg --list-keys the keys should have ultimate trust.

For more details, see the linked article.

Improve this answer
5
  • sorry my bad. I should have mentioned that I followed this exact articel already but running gpg --card-status in WSL also says that there is "no such device" while it works in Windows.
    – Hakairo
    Commented Mar 15, 2023 at 9:48
  • Unfortunately I don't have a YubiKey, but it seems you're getting stuck on the first step already and never get to the trustworthiness part? The article only advises in this case to repeat the procedure. Strange advice.
    – harrymc
    Commented Mar 15, 2023 at 9:52
  • This article may help.
    – harrymc
    Commented Mar 15, 2023 at 9:55
  • Yes I cannot perform the trustowrthiness steps since this requires a valid outpot of the --card-status command which only returns that there is no device. I will check the other linked article.
    – Hakairo
    Commented Mar 15, 2023 at 10:01
  • The other linked articel in fact helped to a certain extend, but not completely. I am now able to see the card status in WSL, change the trustworthiness of the keys, etc. but when trying to connect via SSH, I still get the device not found error.
    – Hakairo
    Commented Mar 15, 2023 at 12:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .