1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2024-11-25 08:48:07 +00:00

remove multiple hosts

This commit is contained in:
drduh 2024-02-12 09:33:22 -08:00
parent 92d4212019
commit d6848d5440

141
README.md
View File

@ -24,14 +24,14 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [OneRNG](#onerng)
- [Generate keys](#generate-keys)
* [Temporary working directory](#temporary-working-directory)
* [Harden configuration](#harden-configuration)
* [Hardened configuration](#hardened-configuration)
- [Certify key](#certify-key)
- [Sign with existing key](#sign-with-existing-key)
- [Subkeys](#subkeys)
* [Signing](#signing)
* [Encryption](#encryption)
* [Authentication](#authentication)
* [Add extra identities](#add-extra-identities)
* [Extra Identities](#extra-identities)
- [Verify](#verify)
- [Export secret keys](#export-secret-keys)
- [Revocation certificate](#revocation-certificate)
@ -48,7 +48,6 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
- [Verify card](#verify-card)
- [Multiple YubiKeys](#multiple-yubikeys)
* [Switching between YubiKeys](#switching-between-yubikeys)
- [Multiple Hosts](#multiple-hosts)
- [Finish](#finish)
- [Using keys](#using-keys)
- [Rotating keys](#rotating-keys)
@ -66,19 +65,15 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [Remote Machines (SSH Agent Forwarding)](#remote-machines-ssh-agent-forwarding)
+ [Use ssh-agent ](#use-ssh-agent)
+ [Use S.gpg-agent.ssh](#use-sgpg-agentssh)
+ [Chained SSH Agent Forwarding](#chained-ssh-agent-forwarding)
+ [Chained SSH agent forwarding](#chained-ssh-agent-forwarding)
* [GitHub](#github)
* [OpenBSD](#openbsd-1)
* [Windows](#windows-1)
+ [WSL](#wsl)
- [Use ssh-agent or use S.weasel-pageant](#use-ssh-agent-or-use-sweasel-pageant)
- [Prerequisites](#prerequisites)
- [WSL configuration](#wsl-configuration)
- [Remote host configuration](#remote-host-configuration)
* [macOS](#macos-1)
- [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding)
* [Steps for older distributions](#steps-for-older-distributions)
* [Chained GPG Agent Forwarding](#chained-gpg-agent-forwarding)
* [Chained GnuPG agent forwarding](#chained-gnupg-agent-forwarding)
- [Using Multiple Keys](#using-multiple-keys)
- [Adding an identity](#adding-an-identity)
* [Updating YubiKey](#updating-yubikey)
@ -310,10 +305,10 @@ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yub
Copy it to a USB drive:
```console
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb; sync
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb ; sync
```
With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.
With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#hardened-configuration), as it was done when creating the image.
## OpenBSD
@ -357,7 +352,7 @@ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
## OneRNG
Configure [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software:
Configure [rng-tools](https://wiki.archlinux.org/title/Rng-tools):
```console
sudo apt -y install at rng-tools python3-gnupg openssl
@ -398,7 +393,7 @@ Create a temporary directory which will be cleared on [reboot](https://en.wikipe
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
```
## Harden configuration
## Hardened configuration
Import or create a hardened configuration for GnuPG:
@ -787,7 +782,7 @@ Finish by saving the keys:
gpg> save
```
## Add extra identities
## Extra Identities
**Optional** To add additional email addresses or identities, use `adduid`
@ -1166,7 +1161,7 @@ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
**Keyserver**
**Optional** Upload the public key to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
**Optional** Upload the public key to a public keyserver:
```console
gpg --send-key $KEYID
@ -1182,6 +1177,23 @@ Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
```
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
```console
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
```
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
```console
gpg/card> admin
gpg/card> url
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
gpg/card> quit
```
# Configure YubiKey
Insert YubiKey and use GnuPG to configure it:
@ -1452,81 +1464,6 @@ GnuPG will scan the first YubiKey for keys and recreate the stubs to point to th
To use the second YubiKey, repeat the command.
# Multiple Hosts
Export the public key and trust setting from the current host:
```console
gpg --armor --export $KEYID > gpg-public-key-$KEYID.asc
gpg --export-ownertrust > gpg-owner-trust.txt
```
Move both files to the second host, then define the key ID:
```console
export KEYID=0xF0F2CFEB04341FB5
```
Import the public key:
```console
gpg --import gpg-public-key-$KEYID.asc
```
Import the trust setting:
```console
gpg --import-ownertrust < gpg-owner-trust.txt
```
Insert YubiKey and import key stubs:
```console
gpg --card-status
```
Or download from a public key server:
```console
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv $KEYID
```
Configure trust:
```console
$ gpg --edit-key $KEYID
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit
```
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
```console
[[ ! "$KEYID" =~ ^"0x" ]] && KEYID="0x${KEYID}"
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
```
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
```console
gpg/card> admin
gpg/card> url
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
gpg/card> quit
```
With the URL on YubiKey, retrieve the public key:
```console
gpg/card> fetch
gpg/card> quit
```
# Finish
@ -1615,6 +1552,14 @@ Or download the public key from a keyserver:
gpg --recv $KEYID
```
Or with the URL on YubiKey, retrieve the public key:
```console
gpg/card> fetch
gpg/card> quit
```
Edit the Certify key:
```console
@ -2010,7 +1955,7 @@ ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000
## (Optional) Save public key for identity file configuration
By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://words.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
The argument provided to `IdentityFile` is traditionally the path to the _private_ key file (for example `IdentityFile ~/.ssh/id_rsa`). For YubiKey, `IdentityFile` must point to the _public_ key file, and `ssh` will select the appropriate private key from those available via ssh-agent. To prevent `ssh` from trying all keys in the agent, use `IdentitiesOnly yes` along with one or more `-i` or `IdentityFile` options for the target host.
@ -2135,7 +2080,7 @@ After sourcing the shell rc file, `ssh-add -l` will return the correct public ke
**Note** In this process no gpg-agent in the remote is involved, hence `gpg-agent.conf` in the remote is of no use. Also pinentry is invoked locally.
### Chained SSH Agent Forwarding
### Chained SSH agent forwarding
If you use `ssh-agent` provided by OpenSSH and want to forward it into a *third* box, you can just `ssh -A third` on the *remote*.
@ -2265,18 +2210,12 @@ The goal is to configure SSH client inside WSL work together with the Windows ag
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
#### Use ssh-agent or use S.weasel-pageant
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information.
#### Prerequisites
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires:
* Ubuntu 16.04 or newer for WSL
* Kleopatra
* [Windows configuration](#windows)
#### WSL configuration
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to the shell rc file. Use a named socket here so it can be used in the `RemoteForward` directive of `~/.ssh/config`. Source it with `source ~/.bashrc`.
@ -2291,8 +2230,6 @@ RemoteForward <remote SSH socket path> /tmp/S.weasel-pageant
**Note** The remote SSH socket path can be found with `gpgconf --list-dirs agent-ssh-socket`
#### Remote host configuration
Add the following to the shell rc file:
```console
@ -2436,7 +2373,7 @@ extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting.
## Chained GPG Agent Forwarding
## Chained GnuPG agent forwarding
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines: