blog/content/2016/07/21/gpg-smartcard-and-ssh.md

+++
title = "GPG, Smartcard and ssh"
date = 2016-07-21T14:35:14+00:00
[taxonomies]
tags = ["gpg", "yubikey", "fedora"]
+++

This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key.
It also serves me as a recipe for fresh installations. 
<!-- more -->

First, you have to disable gnome-keyring-ssh by:
```console
$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \
 $HOME/.config/autostart
$ echo "Hidden=true" \
 >> $HOME/.config/autostart/gnome-keyring-ssh.desktop
```

Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options.

1. disable pcscd completely (recommended) by

    ```console
    $ sudo systemctl mask --now pcscd.socket
    $ sudo systemctl mask --now pcscd.service
    ```

2. or a `$HOME/.gnupg/scdaemon.conf` with

    ```properties
    pcsc-driver /usr/lib64/libpcsclite.so.1
    disable-ccid
    ```

In `$HOME/.gnupg/gpg.conf` `use-agent` should be enabled (should be the default anyway).

`$HOME/.gnupg/gpg-agent.conf` should have: `enable-ssh-support`

To point ssh to the gpg-agent my `.bashrc` contains the line:
```bash
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
```

on newer systems, this can be
```bash
export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh
```

Relogin or reboot to get rid of gnome-keyring-ssh. 

Now `gpg2 --card-status` and `ssh-add -L` should work as expected:
```console
$ gpg2 --card-status
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006045502760000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXX
Name of cardholder: Harald Hoyer
Language prefs ...: de
Sex ..............: male
URL of public key : hkp://pool.sks-keyservers.net
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 23
Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14
Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14
Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14
General key info..: [none]

$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276
```

To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config:
```properties
RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent
RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3
StreamLocalBindUnlink yes
ForwardAgent yes
```

OpenSSH has a [bug](https://bugzilla.mindrot.org/show_bug.cgi?id=2601), so that `StreamLocalBindUnlink yes` does not
work in the client configuration and thus, you have to add that option to the remote server `/etc/ssh/sshd_config`
initial commit 2020-05-19 18:20:18 +02:00			`+++`
			`title = "GPG, Smartcard and ssh"`
			`date = 2016-07-21T14:35:14+00:00`
get rid of categories and add more tags Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2023-10-26 11:53:38 +02:00			`[taxonomies]`
			`tags = ["gpg", "yubikey", "fedora"]`
initial commit 2020-05-19 18:20:18 +02:00			`+++`

			`This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key.`
			`It also serves me as a recipe for fresh installations.`
			`<!-- more -->`

			`First, you have to disable gnome-keyring-ssh by:`
			```console
			`$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \`
			`$HOME/.config/autostart`
			`$ echo "Hidden=true" \`
			`>> $HOME/.config/autostart/gnome-keyring-ssh.desktop`
			```

			`Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options.`

			`1. disable pcscd completely (recommended) by`

			```console
			`$ sudo systemctl mask --now pcscd.socket`
			`$ sudo systemctl mask --now pcscd.service`
			```

			2. or a `$HOME/.gnupg/scdaemon.conf` with

			```properties
			`pcsc-driver /usr/lib64/libpcsclite.so.1`
			`disable-ccid`
			```

			In `$HOME/.gnupg/gpg.conf` `use-agent` should be enabled (should be the default anyway).

			`$HOME/.gnupg/gpg-agent.conf` should have: `enable-ssh-support`

			To point ssh to the gpg-agent my `.bashrc` contains the line:
			```bash
			`unset SSH_AGENT_PID`
			`export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh`
			```

			`on newer systems, this can be`
			```bash
			`export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh`
			```

			`Relogin or reboot to get rid of gnome-keyring-ssh.`

			Now `gpg2 --card-status` and `ssh-add -L` should work as expected:
			```console
			`$ gpg2 --card-status`
			`Reader ...........: 1050:0116:X:0`
			`Application ID ...: D2760001240102000006045502760000`
			`Version ..........: 2.0`
			`Manufacturer .....: Yubico`
			`Serial number ....: XXXX`
			`Name of cardholder: Harald Hoyer`
			`Language prefs ...: de`
			`Sex ..............: male`
			`URL of public key : hkp://pool.sks-keyservers.net`
			`Login data .......: [not set]`
			`Signature PIN ....: forced`
			`Key attributes ...: rsa2048 rsa2048 rsa2048`
			`Max. PIN lengths .: 127 127 127`
			`PIN retry counter : 3 3 3`
			`Signature counter : 23`
			`Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14`
			`Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14`
			`Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14`
			`General key info..: [none]`

			`$ ssh-add -L`
			`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276`
			```

			`To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config:`
			```properties
			`RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent`
			`RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3`
			`StreamLocalBindUnlink yes`
			`ForwardAgent yes`
			```

			OpenSSH has a [bug](https://bugzilla.mindrot.org/show_bug.cgi?id=2601), so that `StreamLocalBindUnlink yes` does not
get rid of categories and add more tags Signed-off-by: Harald Hoyer <harald@hoyer.xyz> 2023-10-26 11:53:38 +02:00			work in the client configuration and thus, you have to add that option to the remote server `/etc/ssh/sshd_config`