1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2024-11-22 07:18:06 +00:00

remove multiple hosts

This commit is contained in:
drduh 2024-02-12 09:33:22 -08:00
parent 92d4212019
commit d6848d5440

141
README.md
View File

@ -24,14 +24,14 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [OneRNG](#onerng) * [OneRNG](#onerng)
- [Generate keys](#generate-keys) - [Generate keys](#generate-keys)
* [Temporary working directory](#temporary-working-directory) * [Temporary working directory](#temporary-working-directory)
* [Harden configuration](#harden-configuration) * [Hardened configuration](#hardened-configuration)
- [Certify key](#certify-key) - [Certify key](#certify-key)
- [Sign with existing key](#sign-with-existing-key) - [Sign with existing key](#sign-with-existing-key)
- [Subkeys](#subkeys) - [Subkeys](#subkeys)
* [Signing](#signing) * [Signing](#signing)
* [Encryption](#encryption) * [Encryption](#encryption)
* [Authentication](#authentication) * [Authentication](#authentication)
* [Add extra identities](#add-extra-identities) * [Extra Identities](#extra-identities)
- [Verify](#verify) - [Verify](#verify)
- [Export secret keys](#export-secret-keys) - [Export secret keys](#export-secret-keys)
- [Revocation certificate](#revocation-certificate) - [Revocation certificate](#revocation-certificate)
@ -48,7 +48,6 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
- [Verify card](#verify-card) - [Verify card](#verify-card)
- [Multiple YubiKeys](#multiple-yubikeys) - [Multiple YubiKeys](#multiple-yubikeys)
* [Switching between YubiKeys](#switching-between-yubikeys) * [Switching between YubiKeys](#switching-between-yubikeys)
- [Multiple Hosts](#multiple-hosts)
- [Finish](#finish) - [Finish](#finish)
- [Using keys](#using-keys) - [Using keys](#using-keys)
- [Rotating keys](#rotating-keys) - [Rotating keys](#rotating-keys)
@ -66,19 +65,15 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [Remote Machines (SSH Agent Forwarding)](#remote-machines-ssh-agent-forwarding) * [Remote Machines (SSH Agent Forwarding)](#remote-machines-ssh-agent-forwarding)
+ [Use ssh-agent ](#use-ssh-agent) + [Use ssh-agent ](#use-ssh-agent)
+ [Use S.gpg-agent.ssh](#use-sgpg-agentssh) + [Use S.gpg-agent.ssh](#use-sgpg-agentssh)
+ [Chained SSH Agent Forwarding](#chained-ssh-agent-forwarding) + [Chained SSH agent forwarding](#chained-ssh-agent-forwarding)
* [GitHub](#github) * [GitHub](#github)
* [OpenBSD](#openbsd-1) * [OpenBSD](#openbsd-1)
* [Windows](#windows-1) * [Windows](#windows-1)
+ [WSL](#wsl) + [WSL](#wsl)
- [Use ssh-agent or use S.weasel-pageant](#use-ssh-agent-or-use-sweasel-pageant)
- [Prerequisites](#prerequisites)
- [WSL configuration](#wsl-configuration)
- [Remote host configuration](#remote-host-configuration)
* [macOS](#macos-1) * [macOS](#macos-1)
- [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding) - [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding)
* [Steps for older distributions](#steps-for-older-distributions) * [Steps for older distributions](#steps-for-older-distributions)
* [Chained GPG Agent Forwarding](#chained-gpg-agent-forwarding) * [Chained GnuPG agent forwarding](#chained-gnupg-agent-forwarding)
- [Using Multiple Keys](#using-multiple-keys) - [Using Multiple Keys](#using-multiple-keys)
- [Adding an identity](#adding-an-identity) - [Adding an identity](#adding-an-identity)
* [Updating YubiKey](#updating-yubikey) * [Updating YubiKey](#updating-yubikey)
@ -310,10 +305,10 @@ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yub
Copy it to a USB drive: Copy it to a USB drive:
```console ```console
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb; sync sudo cp -v result/iso/yubikeyLive.iso /dev/sdb ; sync
``` ```
With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image. With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#hardened-configuration), as it was done when creating the image.
## OpenBSD ## OpenBSD
@ -357,7 +352,7 @@ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
## OneRNG ## OneRNG
Configure [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software: Configure [rng-tools](https://wiki.archlinux.org/title/Rng-tools):
```console ```console
sudo apt -y install at rng-tools python3-gnupg openssl sudo apt -y install at rng-tools python3-gnupg openssl
@ -398,7 +393,7 @@ Create a temporary directory which will be cleared on [reboot](https://en.wikipe
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
``` ```
## Harden configuration ## Hardened configuration
Import or create a hardened configuration for GnuPG: Import or create a hardened configuration for GnuPG:
@ -787,7 +782,7 @@ Finish by saving the keys:
gpg> save gpg> save
``` ```
## Add extra identities ## Extra Identities
**Optional** To add additional email addresses or identities, use `adduid` **Optional** To add additional email addresses or identities, use `adduid`
@ -1166,7 +1161,7 @@ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
**Keyserver** **Keyserver**
**Optional** Upload the public key to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver): **Optional** Upload the public key to a public keyserver:
```console ```console
gpg --send-key $KEYID gpg --send-key $KEYID
@ -1182,6 +1177,23 @@ Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
gpg --send-key $KEYID | curl -T - https://keys.openpgp.org gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
``` ```
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
```console
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
```
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
```console
gpg/card> admin
gpg/card> url
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
gpg/card> quit
```
# Configure YubiKey # Configure YubiKey
Insert YubiKey and use GnuPG to configure it: Insert YubiKey and use GnuPG to configure it:
@ -1452,81 +1464,6 @@ GnuPG will scan the first YubiKey for keys and recreate the stubs to point to th
To use the second YubiKey, repeat the command. To use the second YubiKey, repeat the command.
# Multiple Hosts
Export the public key and trust setting from the current host:
```console
gpg --armor --export $KEYID > gpg-public-key-$KEYID.asc
gpg --export-ownertrust > gpg-owner-trust.txt
```
Move both files to the second host, then define the key ID:
```console
export KEYID=0xF0F2CFEB04341FB5
```
Import the public key:
```console
gpg --import gpg-public-key-$KEYID.asc
```
Import the trust setting:
```console
gpg --import-ownertrust < gpg-owner-trust.txt
```
Insert YubiKey and import key stubs:
```console
gpg --card-status
```
Or download from a public key server:
```console
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv $KEYID
```
Configure trust:
```console
$ gpg --edit-key $KEYID
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit
```
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
```console
[[ ! "$KEYID" =~ ^"0x" ]] && KEYID="0x${KEYID}"
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
```
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
```console
gpg/card> admin
gpg/card> url
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
gpg/card> quit
```
With the URL on YubiKey, retrieve the public key:
```console
gpg/card> fetch
gpg/card> quit
```
# Finish # Finish
@ -1615,6 +1552,14 @@ Or download the public key from a keyserver:
gpg --recv $KEYID gpg --recv $KEYID
``` ```
Or with the URL on YubiKey, retrieve the public key:
```console
gpg/card> fetch
gpg/card> quit
```
Edit the Certify key: Edit the Certify key:
```console ```console
@ -2010,7 +1955,7 @@ ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000
## (Optional) Save public key for identity file configuration ## (Optional) Save public key for identity file configuration
By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`. By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://words.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
The argument provided to `IdentityFile` is traditionally the path to the _private_ key file (for example `IdentityFile ~/.ssh/id_rsa`). For YubiKey, `IdentityFile` must point to the _public_ key file, and `ssh` will select the appropriate private key from those available via ssh-agent. To prevent `ssh` from trying all keys in the agent, use `IdentitiesOnly yes` along with one or more `-i` or `IdentityFile` options for the target host. The argument provided to `IdentityFile` is traditionally the path to the _private_ key file (for example `IdentityFile ~/.ssh/id_rsa`). For YubiKey, `IdentityFile` must point to the _public_ key file, and `ssh` will select the appropriate private key from those available via ssh-agent. To prevent `ssh` from trying all keys in the agent, use `IdentitiesOnly yes` along with one or more `-i` or `IdentityFile` options for the target host.
@ -2135,7 +2080,7 @@ After sourcing the shell rc file, `ssh-add -l` will return the correct public ke
**Note** In this process no gpg-agent in the remote is involved, hence `gpg-agent.conf` in the remote is of no use. Also pinentry is invoked locally. **Note** In this process no gpg-agent in the remote is involved, hence `gpg-agent.conf` in the remote is of no use. Also pinentry is invoked locally.
### Chained SSH Agent Forwarding ### Chained SSH agent forwarding
If you use `ssh-agent` provided by OpenSSH and want to forward it into a *third* box, you can just `ssh -A third` on the *remote*. If you use `ssh-agent` provided by OpenSSH and want to forward it into a *third* box, you can just `ssh -A third` on the *remote*.
@ -2265,18 +2210,12 @@ The goal is to configure SSH client inside WSL work together with the Windows ag
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information. **Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
#### Use ssh-agent or use S.weasel-pageant One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires:
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information.
#### Prerequisites
* Ubuntu 16.04 or newer for WSL * Ubuntu 16.04 or newer for WSL
* Kleopatra * Kleopatra
* [Windows configuration](#windows) * [Windows configuration](#windows)
#### WSL configuration
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant). Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to the shell rc file. Use a named socket here so it can be used in the `RemoteForward` directive of `~/.ssh/config`. Source it with `source ~/.bashrc`. Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to the shell rc file. Use a named socket here so it can be used in the `RemoteForward` directive of `~/.ssh/config`. Source it with `source ~/.bashrc`.
@ -2291,8 +2230,6 @@ RemoteForward <remote SSH socket path> /tmp/S.weasel-pageant
**Note** The remote SSH socket path can be found with `gpgconf --list-dirs agent-ssh-socket` **Note** The remote SSH socket path can be found with `gpgconf --list-dirs agent-ssh-socket`
#### Remote host configuration
Add the following to the shell rc file: Add the following to the shell rc file:
```console ```console
@ -2436,7 +2373,7 @@ extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting. See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting.
## Chained GPG Agent Forwarding ## Chained GnuPG agent forwarding
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines: Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines: