I almost gave up too, but after (admittedly) a lot of battling I finally got GPG to work well with my yuibkeys, allowing a portable SSH/GPG identity using a single yubikey over several machines.
I also got GPG agent forwarding to work transparently and with improved security by forwarding a dynamically created unix socket instead of a TCP socket. It allows me to do remote code signing, as well as chain through a bastion host.
Aside from jamming up with ansible occasionally, the setup is reliable.
I've documented the process for my own reference as much as I could here (yep, a fifth guide): https://github.com/naggie/dotfiles/blob/master/etc/yubikey.m... -- see functions.sh in the same repository for some mechanisms to automatically manage gpg-agent and the sockets without getting deadlocked.
I hope someone finds this useful. I'll certainly be trying the opensc method here though, out of interest.
I set it to `on`. I read somewhere on internet an argument why `fixed` is not really necessary: for setting it back to `off` you need the admin PIN, and you have only 3 tries (by default) for the password. So I am not really worried about someone managing to disable it. And that keep the possibility to change my mind later on open, without having to reset the key.
I have it on -- if my Yubikey is locked out or lost, it's not a problem as I have a backup of the master key in my safe. I could revoke the subkeys if the yubikey is stolen, or trust that whoever finds the yubikey has only three attempts on the pin.
Also I further mitigate the risk by having an explicit wrapper (gssh) to be selective about when I forward GPG/SSH agent.
The private keys are in a subdirectory under .gpg before you move them to the card. Just back those up and store them in a safe place. The ash and signing subkeys can be replaced easily, but if you lose the encryption subkey you won't be able to decrypt anything that was sent to you in the past.
I also got GPG agent forwarding to work transparently and with improved security by forwarding a dynamically created unix socket instead of a TCP socket. It allows me to do remote code signing, as well as chain through a bastion host.
Aside from jamming up with ansible occasionally, the setup is reliable.
I've documented the process for my own reference as much as I could here (yep, a fifth guide): https://github.com/naggie/dotfiles/blob/master/etc/yubikey.m... -- see functions.sh in the same repository for some mechanisms to automatically manage gpg-agent and the sockets without getting deadlocked.
I hope someone finds this useful. I'll certainly be trying the opensc method here though, out of interest.