From 6dde3bda33e59b1168c5f5abae9b037f88c21f22 Mon Sep 17 00:00:00 2001
From: Philipp Eckel <peckel@thoughtworks.com>
Date: Tue, 12 Dec 2017 09:36:44 +0100
Subject: [PATCH 1/9] emphasize 2048 bit as the correct key size for the
 YubiKey Neo

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1c0ea83..a1a753d 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ An authentication key can also be created for SSH and used with [gpg-agent](http
 
 Keys stored on a smartcard like YubiKey seem more difficult to steal than ones stored on disk, and are convenient for everyday use.
 
-Instructions written for Debian GNU/Linux 8 (jessie) using YubiKey 4 in OTP+CCID mode, updated to GPG version 2.2.1. Some notes are included for macOS as well. Note, older YubiKeys are limited to 2048 bit RSA keys.
+Instructions written for Debian GNU/Linux 8 (jessie) using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, updated to GPG version 2.2.1. Some notes are included for macOS as well. Note, older YubiKeys like the Neo are limited to **2048 bit** RSA keys. Please see a comparison of the different YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/).
 
 Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
 
@@ -252,6 +252,8 @@ Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/de
 
 ## Create subkeys
 
+Note: If using a Yubikey 4, please use **4096 bit** as the size for the subkeys; if using a YubiKey Neo, please use **2048 bit** as the size for the subkeys.
+
 Edit the key to add subkeys:
 
     $ gpg --expert --edit-key $KEYID

From 7c0ea30e53661cbf24cbedd3d5b8c65531e214b6 Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Thu, 14 Dec 2017 00:03:59 +0000
Subject: [PATCH 2/9] Document ssh-add error

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index a1a753d..895c56d 100644
--- a/README.md
+++ b/README.md
@@ -1221,6 +1221,8 @@ The Yubikey will blink when it's waiting for the touch.
 
 - If you receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - you probably have ssh-agent running.  Make sure you replaced ssh-agent with gpg-agent as noted above.
 
+- If you receive the error, `Error connecting to agent: No such file or directory` from `ssh-add -L`, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try `export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"`
+
 - If you totally screw up, you can [reset the card](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html).
 
 ## Yubikey OTP Mode and cccccccc....

From 6f199ec00efd3c224b00db10277ed41527db8e3c Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Thu, 14 Dec 2017 00:13:24 +0000
Subject: [PATCH 3/9] Document error from Debian 9

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 895c56d..267cd50 100644
--- a/README.md
+++ b/README.md
@@ -1221,6 +1221,8 @@ The Yubikey will blink when it's waiting for the touch.
 
 - If you receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - you probably have ssh-agent running.  Make sure you replaced ssh-agent with gpg-agent as noted above.
 
+- If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - On Debian, [try](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835394) `gpg-connect-agent updatestartuptty /bye`
+
 - If you receive the error, `Error connecting to agent: No such file or directory` from `ssh-add -L`, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try `export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"`
 
 - If you totally screw up, you can [reset the card](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html).

From 5d452a919064a7c39969b8458cd8c20d8a9a331b Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Mon, 18 Dec 2017 02:44:03 +0000
Subject: [PATCH 4/9] Reference paper backup instructions, fix #3

---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 267cd50..cd9e91f 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
     - [Authentication key](#authentication-key)
   - [Check your work](#check-your-work)
   - [Export keys](#export-keys)
-  - [Back up everything](#back-up-everything)
+  - [Backup everything](#backup-everything)
   - [Configure YubiKey](#configure-yubikey)
   - [Configure smartcard](#configure-smartcard)
     - [Change PINs](#change-pins)
@@ -485,10 +485,12 @@ In addition to the backup below, you might want to keep a separate copy of the
 revocation certificate in a safe place:
 `$GNUPGHOME/openpgp-revocs.d/<key fingerprint>.rev`
 
-## Back up everything
+## Backup everything
 
 Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
 
+Also consider using a [paper copy](http://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
+
 To create an encrypted USB drive, first attach it and check its label:
 
     $ dmesg | tail

From e3c0512b21b2734dd2edfd682c18a743c556f748 Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Mon, 18 Dec 2017 02:47:07 +0000
Subject: [PATCH 5/9] Describe status if public key not imported, fix #6

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index cd9e91f..d94ccde 100644
--- a/README.md
+++ b/README.md
@@ -960,6 +960,8 @@ Unplug and replug the Yubikey. Check the card's status:
 
 `sec#` indicates master key is not available (as it should be stored encrypted offline).
 
+**Note** If you see `General key info..: [none]` in the output instead, first import your public key using the previous step.
+
 ## GnuPG
 
 ### Trust master key

From baf1e6676ec1411a8bd36a76c2f04cb66486ac9f Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Mon, 18 Dec 2017 03:04:13 +0000
Subject: [PATCH 6/9] Mention ssh multiplex to ease multiple connections

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index d94ccde..e7781cc 100644
--- a/README.md
+++ b/README.md
@@ -1194,6 +1194,8 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden
     debug1: Authentication succeeded (publickey).
     [...]
 
+**Note** To make multiple connections or securely transfer many files, consider using the [ControlMaster](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing) ssh option. Also see [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config).
+
 ## Requiring touch to authenticate
 
 By default the Yubikey will perform key operations without requiring a touch from the user. To require a touch for every SSH connection, use the [Yubikey Manager](https://developers.yubico.com/yubikey-manager/) (you'll need the Admin PIN):

From badf3cc5d9ba162a9b07dfe22b67f326dd5a99e0 Mon Sep 17 00:00:00 2001
From: kiralex <kiralex@users.noreply.github.com>
Date: Mon, 18 Dec 2017 08:26:33 +0100
Subject: [PATCH 7/9] fix ssh-agent does not work on archlinux

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index e7781cc..5afecca 100644
--- a/README.md
+++ b/README.md
@@ -1164,6 +1164,11 @@ Depending on how your environment is set up, you might need to add these to your
     export GPG_TTY="$(tty)"
     export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
     gpgconf --launch gpg-agent
+    
+**Note : ** On some systems, for example Archlinux based distros, you need to replace the second line by 
+```
+export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+```
 
 
 ### Copy public key to server

From 02bfc69c2ac7119c4b167c4595d7fc8f9c46240e Mon Sep 17 00:00:00 2001
From: kiralex <kiralex@users.noreply.github.com>
Date: Mon, 18 Dec 2017 08:52:18 +0100
Subject: [PATCH 8/9] Update README.md

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5afecca..ea02d84 100644
--- a/README.md
+++ b/README.md
@@ -1165,9 +1165,10 @@ Depending on how your environment is set up, you might need to add these to your
     export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
     gpgconf --launch gpg-agent
     
-**Note : ** On some systems, for example Archlinux based distros, you need to replace the second line by 
+**Note : ** On some systems, for example Archlinux based distros, you need to replace the second and the third line by 
 ```
 export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+gpg-connect-agent updatestartuptty /bye
 ```
 
 

From 5ecf1046a94800b3f394a38917aeb5d650f77baa Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Thu, 21 Dec 2017 14:42:54 -0800
Subject: [PATCH 9/9] Formatting fix

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ea02d84..65ef7e1 100644
--- a/README.md
+++ b/README.md
@@ -1165,7 +1165,8 @@ Depending on how your environment is set up, you might need to add these to your
     export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
     gpgconf --launch gpg-agent
     
-**Note : ** On some systems, for example Archlinux based distros, you need to replace the second and the third line by 
+**Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with:
+
 ```
 export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
 gpg-connect-agent updatestartuptty /bye