From e0430a0698ee62874d1cfb6c2a51555775f07854 Mon Sep 17 00:00:00 2001 From: drduh Date: Tue, 16 Jan 2018 10:36:46 -0800 Subject: [PATCH 1/8] Formatting nit --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index 65ef7e1..82eb498 100644 --- a/README.md +++ b/README.md @@ -145,10 +145,7 @@ If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 f ## Install - macOS -You will need to install the following software: - -1. [Homebrew](https://brew.sh/) package manager -2. The following brew packages: +You will need to install [Homebrew](https://brew.sh/) and the following brew packages: $ brew install gnupg yubikey-personalization From 161dea9e928de4561b21893bd20b3387374d9e00 Mon Sep 17 00:00:00 2001 From: Philipp Eckel Date: Tue, 30 Jan 2018 22:50:47 +0100 Subject: [PATCH 2/8] remove outdated use-standard-socket option from SSH config, see here: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 82eb498..78b5469 100644 --- a/README.md +++ b/README.md @@ -1147,7 +1147,6 @@ Paste the following text into a terminal window to create a [recommended](https: default-cache-ttl 60 max-cache-ttl 120 write-env-file - use-standard-socket EOF If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gnome3` to use a GUI manager. For macOS, try `brew install pinentry-mac`, and adjust the `pinentry-program` setting to suit. From dcadfbdccd4f31904e35e0b254e7040c37b72fb7 Mon Sep 17 00:00:00 2001 From: Philipp Eckel Date: Thu, 22 Feb 2018 08:18:10 +0100 Subject: [PATCH 3/8] remove not need keyserver certificate, see https://github.com/drduh/YubiKey-Guide/issues/48 --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index 78b5469..8fa8d86 100644 --- a/README.md +++ b/README.md @@ -871,7 +871,6 @@ Paste the following text into a terminal window to create a [recommended](https: auto-key-locate keyserver keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url - keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem keyserver-options no-honor-keyserver-url keyserver-options debug keyserver-options verbose @@ -893,10 +892,6 @@ Paste the following text into a terminal window to create a [recommended](https: require-cross-certification EOF -To install the keyservers CA file: - - $ sudo curl -s "https://sks-keyservers.net/sks-keyservers.netCA.pem" -o /etc/sks-keyservers.netCA.pem - ## Import public key Import it from a file: From 71b5e69cf1168fc324053e6cbee371fcf1cf2902 Mon Sep 17 00:00:00 2001 From: Nick Sandford Date: Sun, 25 Feb 2018 19:43:36 +1100 Subject: [PATCH 4/8] Use gpgconf to get the ssh auth sock. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fa8d86..fcf2f2b 100644 --- a/README.md +++ b/README.md @@ -1153,7 +1153,7 @@ If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gn Depending on how your environment is set up, you might need to add these to your shell `rc` file: export GPG_TTY="$(tty)" - export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent **Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with: From f14d756578ddc04c98b79969feb7b21fd657f6df Mon Sep 17 00:00:00 2001 From: Marjan Grabowski Date: Mon, 26 Feb 2018 10:33:42 +0100 Subject: [PATCH 5/8] Change rights of 'gpg.conf' to avoid warning --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fcf2f2b..f064eb6 100644 --- a/README.md +++ b/README.md @@ -892,6 +892,10 @@ Paste the following text into a terminal window to create a [recommended](https: require-cross-certification EOF +Ensure you change to correct rights of that file to at least avoid a warning message about incorrect file rights + + chmod 600 ~/.gnupg/gpg.conf + ## Import public key Import it from a file: From 9a21477481fe2dcc81fafbb65a73afe2aab18e5e Mon Sep 17 00:00:00 2001 From: W1lkins Date: Sat, 3 Mar 2018 16:12:36 +0000 Subject: [PATCH 6/8] install hopenpgp-tools as it is used in section https://github.com/drduh/YubiKey-Guide\#check-your-work where an apt-get command is listed --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f064eb6..78a0367 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 f You will need to install [Homebrew](https://brew.sh/) and the following brew packages: - $ brew install gnupg yubikey-personalization + $ brew install gnupg yubikey-personalization hopenpgp-tools # Creating keys From 79dac3ec7d53530564c701939b4b45c12000eb0d Mon Sep 17 00:00:00 2001 From: James Wu Date: Wed, 14 Mar 2018 11:50:04 -0700 Subject: [PATCH 7/8] add explicit public key naming for IdentitiesOnly usage --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 78a0367..b6c98e9 100644 --- a/README.md +++ b/README.md @@ -1167,7 +1167,6 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" gpg-connect-agent updatestartuptty /bye ``` - ### Copy public key to server There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file: @@ -1175,6 +1174,21 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden $ ssh-add -L ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211 +#### (Optional) Save public key for identity file configuration + +If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis. + +In the case of Yubikey usage, you do not have access to the private key, and `identity_file` can be pointed to the public key (`.pub`). + + $ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub + +Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows: + + $ cat << EOF >> ~/.ssh/config + Host github.com + IdentityFile ~/.ssh/id_rsa_yubikey.pub + EOF + ### Connect with public key authentication $ ssh git@github.com -vvv From 17581cfd82c6f64750c955f0d31c829f1e9c29fe Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 21 Mar 2018 01:31:21 -0400 Subject: [PATCH 8/8] Remove outdated config from gpg.conf Removing configuration paramaters no longer supported in GPG 2.X Related to #28 --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index b6c98e9..498916a 100644 --- a/README.md +++ b/README.md @@ -872,8 +872,6 @@ Paste the following text into a terminal window to create a [recommended](https: keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url keyserver-options no-honor-keyserver-url - keyserver-options debug - keyserver-options verbose personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed