mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-11-26 17:28:09 +00:00
Update openbsd instructions
This commit is contained in:
parent
381088ba79
commit
3f4480db25
224
README.md
224
README.md
@ -11,47 +11,54 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
|
|||||||
- [Purchase YubiKey](#purchase-yubikey)
|
- [Purchase YubiKey](#purchase-yubikey)
|
||||||
- [Live image](#live-image)
|
- [Live image](#live-image)
|
||||||
- [Required software](#required-software)
|
- [Required software](#required-software)
|
||||||
- [Entropy](#entropy)
|
* [Entropy](#entropy)
|
||||||
- [Creating keys](#creating-keys)
|
- [Creating keys](#creating-keys)
|
||||||
- [Master key](#master-key)
|
- [Master key](#master-key)
|
||||||
- [Subkeys](#subkeys)
|
- [Subkeys](#subkeys)
|
||||||
- [Signing](#signing)
|
* [Signing](#signing)
|
||||||
- [Encryption](#encryption)
|
* [Encryption](#encryption)
|
||||||
- [Authentication](#authentication)
|
* [Authentication](#authentication)
|
||||||
- [Verify keys](#verify-keys)
|
- [Verify keys](#verify-keys)
|
||||||
- [Export keys](#export-keys)
|
- [Export keys](#export-keys)
|
||||||
- [Backup keys](#backup-keys)
|
- [Backup keys](#backup-keys)
|
||||||
|
* [Linux](#linux)
|
||||||
|
* [OpenBSD](#openbsd)
|
||||||
- [Configure YubiKey](#configure-yubikey)
|
- [Configure YubiKey](#configure-yubikey)
|
||||||
- [Configure Smartcard](#configure-smartcard)
|
- [Configure Smartcard](#configure-smartcard)
|
||||||
- [Change PIN](#change-pin)
|
* [Change PIN](#change-pin)
|
||||||
- [Set information](#set-information)
|
* [Set information](#set-information)
|
||||||
- [Transfer keys](#transfer-keys)
|
- [Transfer keys](#transfer-keys)
|
||||||
- [Signing](#signing-1)
|
* [Signing](#signing-1)
|
||||||
- [Encryption](#encryption-1)
|
* [Encryption](#encryption-1)
|
||||||
- [Authentication](#authentication-1)
|
* [Authentication](#authentication-1)
|
||||||
- [Verify card](#verify-card)
|
- [Verify card](#verify-card)
|
||||||
- [Export public key](#export-public-key)
|
- [Export public key](#export-public-key)
|
||||||
- [Cleanup](#cleanup)
|
- [Cleanup](#cleanup)
|
||||||
- [Using keys](#using-keys)
|
- [Using keys](#using-keys)
|
||||||
- [Import public key](#import-public-key)
|
- [Import public key](#import-public-key)
|
||||||
- [Trust master key](#trust-master-key)
|
* [Trust master key](#trust-master-key)
|
||||||
- [Insert YubiKey](#insert-yubikey)
|
- [Insert YubiKey](#insert-yubikey)
|
||||||
- [Encryption](#encryption-2)
|
- [Encryption](#encryption-2)
|
||||||
- [Decryption](#decryption)
|
- [Decryption](#decryption)
|
||||||
- [Signing](#signing-2)
|
- [Signing](#signing-2)
|
||||||
- [Verifying signature](#verifying-signature)
|
- [Verifying signature](#verifying-signature)
|
||||||
- [SSH](#ssh)
|
- [SSH](#ssh)
|
||||||
- [Create configuration](#create-configuration)
|
* [Create configuration](#create-configuration)
|
||||||
- [Replace agents](#replace-agents)
|
* [Replace agents](#replace-agents)
|
||||||
- [Copy public key](#copy-public-key)
|
* [Copy public key](#copy-public-key)
|
||||||
- [(Optional) Save public key for identity file configuration](#optional-save-public-key-for-identity-file-configuration)
|
* [(Optional) Save public key for identity file configuration](#-optional--save-public-key-for-identity-file-configuration)
|
||||||
- [Connect with public key authentication](#connect-with-public-key-authentication)
|
* [Connect with public key authentication](#connect-with-public-key-authentication)
|
||||||
- [Touch to authenticate](#touch-to-authenticate)
|
* [Touch to authenticate](#touch-to-authenticate)
|
||||||
- [Import SSH keys](#import-ssh-keys)
|
* [Import SSH keys](#import-ssh-keys)
|
||||||
- [GitHub](#github)
|
* [Remote Machines (agent forwarding)](#remote-machines--agent-forwarding-)
|
||||||
- [OpenBSD](#openbsd)
|
* [GitHub](#github)
|
||||||
- [Windows](#windows)
|
* [OpenBSD](#openbsd-1)
|
||||||
- [Windows Subsystem for Linux (WSL)](#wsl)
|
* [Windows](#windows)
|
||||||
|
+ [WSL](#wsl)
|
||||||
|
- [Prerequisites](#prerequisites)
|
||||||
|
- [WSL configuration](#wsl-configuration)
|
||||||
|
- [Remote host configuration](#remote-host-configuration)
|
||||||
|
- [Final test](#final-test)
|
||||||
- [Troubleshooting](#troubleshooting)
|
- [Troubleshooting](#troubleshooting)
|
||||||
- [Notes](#notes)
|
- [Notes](#notes)
|
||||||
- [Links](#links)
|
- [Links](#links)
|
||||||
@ -82,7 +89,7 @@ $ grep $(sha512sum debian-live-9.6.0-amd64-xfce.iso) SHA512SUMS
|
|||||||
e35dd65fe1b078f71fcf04fa749a05bfefe4aa11a9e80f116ceec0566d65636a4ac84a9aff22aa3f7a8eeb10289d0c2f54dfe7c599d8aa16663e4f9a74f3eec5 debian-live-9.6.0-amd64-xfce.iso
|
e35dd65fe1b078f71fcf04fa749a05bfefe4aa11a9e80f116ceec0566d65636a4ac84a9aff22aa3f7a8eeb10289d0c2f54dfe7c599d8aa16663e4f9a74f3eec5 debian-live-9.6.0-amd64-xfce.iso
|
||||||
```
|
```
|
||||||
|
|
||||||
Mount a USB drive and copy the image over to it:
|
Mount a USB disk and copy the image over to it:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo dd if=debian-live-9.6.0-amd64-xfce.iso of=/dev/sdc bs=4M && sync
|
$ sudo dd if=debian-live-9.6.0-amd64-xfce.iso of=/dev/sdc bs=4M && sync
|
||||||
@ -90,13 +97,13 @@ $ sudo dd if=debian-live-9.6.0-amd64-xfce.iso of=/dev/sdc bs=4M && sync
|
|||||||
|
|
||||||
Shut down the computer and disconnect any hard drives and unnecessary peripherals.
|
Shut down the computer and disconnect any hard drives and unnecessary peripherals.
|
||||||
|
|
||||||
Plug in the USB drive and boot to the live image. Configure networking to continue. If the screen locks, unlock with user/live.
|
Plug in the USB disk and boot to the live image. Configure networking to continue. If the screen locks, unlock with user/live.
|
||||||
|
|
||||||
# Required software
|
# Required software
|
||||||
|
|
||||||
Install several packages required for the following steps:
|
Install several packages required for the following steps:
|
||||||
|
|
||||||
**debian and ubuntu**
|
**Debian/Ubuntu**
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo apt-get update
|
$ sudo apt-get update
|
||||||
@ -116,15 +123,27 @@ $ sudo pacman -Syu gnupg2 pcsclite ccid yubikey-personalization
|
|||||||
```
|
```
|
||||||
|
|
||||||
**RHEL7**
|
**RHEL7**
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo yum install -y gnupg2 pinentry-curses pcsc-lite pcsc-lite-libs gnupg2-smime
|
$ sudo yum install -y gnupg2 pinentry-curses pcsc-lite pcsc-lite-libs gnupg2-smime
|
||||||
```
|
```
|
||||||
|
|
||||||
You may also need more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/).
|
**OpenBSD**
|
||||||
|
|
||||||
**macOS** Download and install [Homebrew](https://brew.sh/) and the following Brew packages - `gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac`
|
```console
|
||||||
|
$ doas pkg_add gnupg pcsc-tools
|
||||||
|
```
|
||||||
|
|
||||||
|
**macOS**
|
||||||
|
|
||||||
|
Download and install [Homebrew](https://brew.sh/) and the following Brew packages - `gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac`
|
||||||
|
|
||||||
|
**Windows**
|
||||||
|
|
||||||
|
Download and install [Gpg4Win](https://www.gpg4win.org/) and [PuTTY](https://putty.org).
|
||||||
|
|
||||||
|
**Note** You may also need more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/).
|
||||||
|
|
||||||
**Windows** Download and install [Gpg4Win](https://www.gpg4win.org/) and [PuTTY](https://putty.org).
|
|
||||||
|
|
||||||
## Entropy
|
## Entropy
|
||||||
|
|
||||||
@ -547,7 +566,6 @@ The output will display any problems with your key in red text. If everything is
|
|||||||
|
|
||||||
> hokey may warn (orange text) about cross certification for the authentication key. GPG's [Signing Subkey Cross-Certification](https://gnupg.org/faq/subkey-cross-certify.html) documentation has more detail on cross certification, and gpg v2.2.1 notes "subkey <keyid> does not sign and so does not need to be cross-certified". hokey may also indicate a problem (red text) with `Key expiration times: []` on the primary key (see [Note #3](#notes) about not setting an expiry for the primary key).
|
> hokey may warn (orange text) about cross certification for the authentication key. GPG's [Signing Subkey Cross-Certification](https://gnupg.org/faq/subkey-cross-certify.html) documentation has more detail on cross certification, and gpg v2.2.1 notes "subkey <keyid> does not sign and so does not need to be cross-certified". hokey may also indicate a problem (red text) with `Key expiration times: []` on the primary key (see [Note #3](#notes) about not setting an expiry for the primary key).
|
||||||
|
|
||||||
|
|
||||||
# Export keys
|
# Export keys
|
||||||
|
|
||||||
The Master and subkeys will be encrypted with your passphrase when exported.
|
The Master and subkeys will be encrypted with your passphrase when exported.
|
||||||
@ -572,9 +590,11 @@ $ gpg --armor --export-secret-subkeys $KEYID -o \path\to\dir\sub.gpg
|
|||||||
|
|
||||||
Once keys are moved to hardware, they cannot be extracted again, so make sure you have made an **encrypted** backup before proceeding. An encrypted USB drive or container can be made using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html).
|
Once keys are moved to hardware, they cannot be extracted again, so make sure you have made an **encrypted** backup before proceeding. An encrypted USB drive or container can be made using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html).
|
||||||
|
|
||||||
Also consider using a [paper copy](http://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
|
Also consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
|
||||||
|
|
||||||
To format and encrypt a USB drive on Linux, first attach it and check its label:
|
## Linux
|
||||||
|
|
||||||
|
Attach a USB disk and check its label:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo dmesg | tail
|
$ sudo dmesg | tail
|
||||||
@ -588,7 +608,7 @@ sd 8:0:0:0: [sde] Mode Sense: 43 00 00 00
|
|||||||
sd 8:0:0:0: [sde] Attached SCSI removable disk
|
sd 8:0:0:0: [sde] Attached SCSI removable disk
|
||||||
```
|
```
|
||||||
|
|
||||||
Check the size to make sure it's the right drive:
|
Check the size to make sure it's the right device:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo fdisk -l /dev/sde
|
$ sudo fdisk -l /dev/sde
|
||||||
@ -671,21 +691,19 @@ Creating journal (32768 blocks): done
|
|||||||
Writing superblocks and filesystem accounting information: done
|
Writing superblocks and filesystem accounting information: done
|
||||||
```
|
```
|
||||||
|
|
||||||
Mount the filesystem:
|
Mount the filesystem and copy the temporary GNUPG directory:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo mount /dev/mapper/usb /mnt
|
$ sudo mkdir /mnt/encrypted-usb
|
||||||
```
|
|
||||||
|
|
||||||
Backup all GPG files to it:
|
$ sudo mount /dev/mapper/usb /mnt/encrypted-usb
|
||||||
|
|
||||||
```console
|
$ sudo cp -avi $GNUPGHOME /mnt/encrypted-usb
|
||||||
$ sudo cp -avi $GNUPGHOME /mnt
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
||||||
|
|
||||||
Otherwise, unmount and disconnected the encrypted USB drive:
|
Otherwise, unmount and disconnected the encrypted USB disk:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo umount /mnt
|
$ sudo umount /mnt
|
||||||
@ -693,8 +711,92 @@ $ sudo umount /mnt
|
|||||||
$ sudo cryptsetup luksClose usb
|
$ sudo cryptsetup luksClose usb
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## OpenBSD
|
||||||
|
|
||||||
|
Attach a USB disk and determine its label:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ dmesg | grep sd.\ at
|
||||||
|
sd2 at scsibus5 targ 1 lun 0: <Samsung, Flash Drive DUO, 1100> SCSI4 0/direct removable serial.50010000000000000001
|
||||||
|
```
|
||||||
|
|
||||||
|
Print the existing partitions to make sure it's the right device:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas disklabel -h sd2
|
||||||
|
```
|
||||||
|
|
||||||
|
Initialize the disk by creating an `a` partition with FS type `RAID`:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas fdisk -iy sd2
|
||||||
|
Writing MBR at offset 0.
|
||||||
|
|
||||||
|
$ doas disklabel -E sd2
|
||||||
|
Label editor (enter '?' for help at any prompt)
|
||||||
|
> a a
|
||||||
|
offset: [64]
|
||||||
|
size: [62653436]
|
||||||
|
FS type: [4.2BSD] RAID
|
||||||
|
> w
|
||||||
|
> q
|
||||||
|
No label changes.
|
||||||
|
|
||||||
|
$ doas bioctl -c C -l sd2a softraid0
|
||||||
|
New passphrase:
|
||||||
|
Re-type passphrase:
|
||||||
|
softraid0: CRYPTO volume attached as sd3
|
||||||
|
```
|
||||||
|
|
||||||
|
Make an `i` partition, then make and mount the filesystem:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas fdisk -iy sd3
|
||||||
|
Writing MBR at offset 0.
|
||||||
|
|
||||||
|
$ doas disklabel -E sd3
|
||||||
|
Label editor (enter '?' for help at any prompt)
|
||||||
|
> a i
|
||||||
|
offset: [64]
|
||||||
|
size: [62637371]
|
||||||
|
FS type: [4.2BSD]
|
||||||
|
> w
|
||||||
|
> q
|
||||||
|
No label changes.
|
||||||
|
|
||||||
|
$ doas newfs sd3i
|
||||||
|
/dev/rsd3i: 30584.6MB in 62637344 sectors of 512 bytes
|
||||||
|
152 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
|
||||||
|
super-block backups (for fsck -b #) at:
|
||||||
|
32, 414688, 829344, 1244000, 1658656, 2073312, 2487968, 2902624, 3317280, 3731936, 4146592, 4561248, 4975904,
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
Mount the filesystem and copy the temporary GNUPG directory:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas mkdir /mnt/encrypted-usb
|
||||||
|
|
||||||
|
$ doas mount /dev/sd3i /mnt/encrypted-usb
|
||||||
|
|
||||||
|
$ doas cp -avi $GNUPGHOME /mnt/encrypted-usb
|
||||||
|
```
|
||||||
|
|
||||||
|
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
||||||
|
|
||||||
|
Otherwise, unmount and disconnected the encrypted USB disk:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ doas umount /mnt/encrypted-usb
|
||||||
|
|
||||||
|
$ doas bioctl -d sd3
|
||||||
|
```
|
||||||
|
|
||||||
|
See [OpenBSD FAQ#14](https://www.openbsd.org/faq/faq14.html#softraidCrypto) for more information.
|
||||||
|
|
||||||
# Configure YubiKey
|
# Configure YubiKey
|
||||||
|
|
||||||
|
**Note** YubiKey NEO shipped after November 2015 have [all modes enabled](https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-neo-manager/); so this step may be skipped. Older versions of the YubiKey NEO may need to be reconfigured as a composite USB device (HID + CCID) which allows OTPs to be emitted while in use as a SmartCard.
|
||||||
Plug in YubiKey and configure it with the `ykpersonalize` utility:
|
Plug in YubiKey and configure it with the `ykpersonalize` utility:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
@ -706,9 +808,7 @@ The USB mode will be set to: 0x82
|
|||||||
Commit? (y/n) [n]: y
|
Commit? (y/n) [n]: y
|
||||||
```
|
```
|
||||||
|
|
||||||
The -m option is the mode command. To see the different modes, enter `ykpersonalize –help`. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID). Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it. On YubiKey NEO with firmware version 3.3 or higher, you can enable composite USB device with `-m86` instead of `-m82`.
|
The -m option is the mode command. To see the different modes, enter `ykpersonalize -help`. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID). Once you have changed the mode, you need to re-boot the YubiKey, so remove and re-insert it. On YubiKey NEO with firmware version 3.3 or higher, you can enable composite USB device with `-m86` instead of `-m82`.
|
||||||
|
|
||||||
**Note** YubiKey NEO shipped after November 2015 have [all modes enabled](https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-neo-manager/); so this configuration may be skipped. Older versions of the YubiKey NEO may need to be reconfigured as a composite USB device (HID + CCID) which allows OTPs to be emitted while in use as a SmartCard.
|
|
||||||
|
|
||||||
**Windows** Use the [YubiKey NEO Manager](https://www.yubico.com/products/services-software/download/yubikey-neo-manager/) to enable CCID functionality.
|
**Windows** Use the [YubiKey NEO Manager](https://www.yubico.com/products/services-software/download/yubikey-neo-manager/) to enable CCID functionality.
|
||||||
|
|
||||||
@ -945,7 +1045,7 @@ ssb> rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
|
|||||||
|
|
||||||
# Export public key
|
# Export public key
|
||||||
|
|
||||||
Mount another USB drive to copy the *public* key, or save it somewhere where you can easily access later.
|
Mount another USB disk to copy the *public* key, or save it somewhere where you can easily access later.
|
||||||
|
|
||||||
**Important** Without the *public* key, you will not be able to use GPG to encrypt, decrypt, nor sign messages. However, you will still be able to use the YubiKey for SSH.
|
**Important** Without the *public* key, you will not be able to use GPG to encrypt, decrypt, nor sign messages. However, you will still be able to use the YubiKey for SSH.
|
||||||
|
|
||||||
@ -1016,7 +1116,7 @@ $ chmod 600 ~/.gnupg/gpg.conf
|
|||||||
|
|
||||||
# Import public key
|
# Import public key
|
||||||
|
|
||||||
To import the public key from a file on an encrypted USB drive:
|
To import the public key from a file on an encrypted USB disk:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo cryptsetup luksOpen /dev/sdd1 usb
|
$ sudo cryptsetup luksOpen /dev/sdd1 usb
|
||||||
@ -1360,12 +1460,17 @@ debug1: Authentication succeeded (publickey).
|
|||||||
|
|
||||||
By default, YubiKey will perform key operations without requiring a touch from the user. To require a touch for every SSH authentication, use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager/) and Admin PIN:
|
By default, YubiKey will perform key operations without requiring a touch from the user. To require a touch for every SSH authentication, use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager/) and Admin PIN:
|
||||||
|
|
||||||
ykman openpgp touch aut on
|
```console
|
||||||
|
$ ykman openpgp touch aut on
|
||||||
|
```
|
||||||
|
|
||||||
To require a touch for signing and encryption operations:
|
To require a touch for signing and encryption operations:
|
||||||
|
|
||||||
ykman openpgp touch sig on
|
```console
|
||||||
ykman openpgp touch enc on
|
$ ykman openpgp touch sig on
|
||||||
|
|
||||||
|
$ ykman openpgp touch enc on
|
||||||
|
```
|
||||||
|
|
||||||
The YubiKey will blink when it's waiting for touch.
|
The YubiKey will blink when it's waiting for touch.
|
||||||
|
|
||||||
@ -1478,7 +1583,7 @@ You can then change the repository url to `git@github.com:USERNAME/repository` a
|
|||||||
|
|
||||||
## OpenBSD
|
## OpenBSD
|
||||||
|
|
||||||
Install `pcsc-tools` and enable with `doas rcctl enable pcscd`, then reboot in order to recognize YubiKey.
|
`doas pkg_add pcsc-tools` and enable with `doas rcctl enable pcscd`, then reboot in order to recognize YubiKey.
|
||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
@ -1511,20 +1616,20 @@ Copy this key to a file for later use. It represents the public SSH key correspo
|
|||||||
|
|
||||||
Now you can use PuTTY for public key SSH authentication. When the server asks for public key verification, PuTTY will forward the request to GPG, which will prompt you for a PIN and authorize the login using YubiKey.
|
Now you can use PuTTY for public key SSH authentication. When the server asks for public key verification, PuTTY will forward the request to GPG, which will prompt you for a PIN and authorize the login using YubiKey.
|
||||||
|
|
||||||
## WSL
|
### WSL
|
||||||
|
|
||||||
The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve:
|
The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve:
|
||||||
![WSL agent architecture](media/schema_gpg.png)
|
![WSL agent architecture](media/schema_gpg.png)
|
||||||
|
|
||||||
**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information.
|
**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information.
|
||||||
|
|
||||||
### Prerequisites
|
#### Prerequisites
|
||||||
|
|
||||||
* Ubuntu >16.04 for WSL
|
* Ubuntu >16.04 for WSL
|
||||||
* Kleopatra
|
* Kleopatra
|
||||||
* [Windows configuration](#windows)
|
* [Windows configuration](#windows)
|
||||||
|
|
||||||
### WSL configuration
|
#### WSL configuration
|
||||||
|
|
||||||
* Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant).
|
* Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant).
|
||||||
* Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to shell rc file. Use a named socket here so it can be used in the RemoteForward directive of the .ssh/config file.
|
* Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to shell rc file. Use a named socket here so it can be used in the RemoteForward directive of the .ssh/config file.
|
||||||
@ -1539,25 +1644,25 @@ RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant
|
|||||||
|
|
||||||
**Note** The remote ssh socket path can be found by executing `$ gpgconf --list-dirs agent-ssh-socket` on the host.
|
**Note** The remote ssh socket path can be found by executing `$ gpgconf --list-dirs agent-ssh-socket` on the host.
|
||||||
|
|
||||||
### Remote host configuration
|
#### Remote host configuration
|
||||||
|
|
||||||
- Add to the shell rc file:
|
Add the following to the shell rc file:
|
||||||
|
|
||||||
```
|
```
|
||||||
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
||||||
export GPG_TTY=$(tty)
|
export GPG_TTY=$(tty)
|
||||||
```
|
```
|
||||||
|
|
||||||
- Add to `/etc/ssh/sshd_config`:
|
Add the following to `/etc/ssh/sshd_config`:
|
||||||
|
|
||||||
```
|
```
|
||||||
AllowAgentForwarding yes
|
AllowAgentForwarding yes
|
||||||
StreamLocalBindUnlink yes
|
StreamLocalBindUnlink yes
|
||||||
```
|
```
|
||||||
|
|
||||||
- Reload the ssh daemon (e.g., `sudo service sshd reload`).
|
And reload the SSH daemon (e.g., `sudo service sshd reload`).
|
||||||
|
|
||||||
### Final test
|
#### Final test
|
||||||
|
|
||||||
- Unplug YubiKey, disconnect or reboot.
|
- Unplug YubiKey, disconnect or reboot.
|
||||||
- Log back in to Windows, open a WSL console and enter `ssh-add -l` - you should see nothing.
|
- Log back in to Windows, open a WSL console and enter `ssh-add -l` - you should see nothing.
|
||||||
@ -1581,14 +1686,16 @@ StreamLocalBindUnlink yes
|
|||||||
|
|
||||||
- If you receive the error, `Yubikey core error: write error` - YubiKey is likely locked. Install and run yubikey-personalization-gui to unlock it.
|
- If you receive the error, `Yubikey core error: write error` - YubiKey is likely locked. Install and run yubikey-personalization-gui to unlock it.
|
||||||
|
|
||||||
- If you receive the error, `Key does not match the card's capability` - you likely need to use 2048 bit RSA key sizes with your Yubikey.
|
- If you receive the error, `Key does not match the card's capability` - you likely need to use 2048 bit RSA key sizes.
|
||||||
|
|
||||||
- If ssh authentication fails - add up to 3 `-v` flags to increase verbosity.
|
- If ssh authentication fails - add up to 3 `-v` flags to increase verbosity.
|
||||||
|
|
||||||
- If you receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - you probably have ssh-agent running. Make sure you replaced ssh-agent with gpg-agent as noted above.
|
- If you receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - make sure you replaced `ssh-agent` with `gpg-agent` as noted above.
|
||||||
|
|
||||||
- If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - On Debian, [try](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835394) `gpg-connect-agent updatestartuptty /bye`
|
- If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - On Debian, [try](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835394) `gpg-connect-agent updatestartuptty /bye`
|
||||||
|
|
||||||
|
- If you still receive the error, `sign_and_send_pubkey: signing failed: agent refused operation` - check `~/.gnupg/gpg-agent.conf` to make sure the path to `pinentry` is correct.
|
||||||
|
|
||||||
- If you receive the error, `Error connecting to agent: No such file or directory` from `ssh-add -L`, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try `export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"`
|
- If you receive the error, `Error connecting to agent: No such file or directory` from `ssh-add -L`, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try `export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"`
|
||||||
|
|
||||||
- If you receive the error, `Permission denied (publickey)`, increase ssh verbosity with the `-v` flag and ensure the public key from the card is being offered: `Offering public key: RSA SHA256:abcdefg... cardno:00060123456`. If it is, ensure you are connecting as the right user on the target system, rather than as the user on the local system. Otherwise, be sure `IdentitiesOnly` is not [enabled](https://github.com/FiloSottile/whosthere#how-do-i-stop-it) for this host.
|
- If you receive the error, `Permission denied (publickey)`, increase ssh verbosity with the `-v` flag and ensure the public key from the card is being offered: `Offering public key: RSA SHA256:abcdefg... cardno:00060123456`. If it is, ensure you are connecting as the right user on the target system, rather than as the user on the local system. Otherwise, be sure `IdentitiesOnly` is not [enabled](https://github.com/FiloSottile/whosthere#how-do-i-stop-it) for this host.
|
||||||
@ -1604,7 +1711,6 @@ StreamLocalBindUnlink yes
|
|||||||
|
|
||||||
# Links
|
# Links
|
||||||
|
|
||||||
* http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/
|
|
||||||
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
||||||
* https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
|
* https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
|
||||||
* https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
|
* https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
|
||||||
@ -1621,8 +1727,8 @@ StreamLocalBindUnlink yes
|
|||||||
* https://jclement.ca/articles/2015/gpg-smartcard/
|
* https://jclement.ca/articles/2015/gpg-smartcard/
|
||||||
* https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac
|
* https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac
|
||||||
* https://trmm.net/Yubikey
|
* https://trmm.net/Yubikey
|
||||||
|
* https://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/
|
||||||
* https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
|
* https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
|
||||||
* https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx
|
* https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx
|
||||||
* https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
|
* https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
|
||||||
* https://mlohr.com/gpg-agent-forwarding/
|
* https://mlohr.com/gpg-agent-forwarding/
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user