+++ title = "GPG, Smartcard and ssh" date = 2016-07-21T14:35:14+00:00 [taxonomies] tags = ["gpg", "yubikey", "fedora"] +++ This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key. It also serves me as a recipe for fresh installations. First, you have to disable gnome-keyring-ssh by: ```console $ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \ $HOME/.config/autostart $ echo "Hidden=true" \ >> $HOME/.config/autostart/gnome-keyring-ssh.desktop ``` Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options. 1. disable pcscd completely (recommended) by ```console $ sudo systemctl mask --now pcscd.socket $ sudo systemctl mask --now pcscd.service ``` 2. or a `$HOME/.gnupg/scdaemon.conf` with ```properties pcsc-driver /usr/lib64/libpcsclite.so.1 disable-ccid ``` In `$HOME/.gnupg/gpg.conf` `use-agent` should be enabled (should be the default anyway). `$HOME/.gnupg/gpg-agent.conf` should have: `enable-ssh-support` To point ssh to the gpg-agent my `.bashrc` contains the line: ```bash unset SSH_AGENT_PID export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh ``` on newer systems, this can be ```bash export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh ``` Relogin or reboot to get rid of gnome-keyring-ssh. Now `gpg2 --card-status` and `ssh-add -L` should work as expected: ```console $ gpg2 --card-status Reader ...........: 1050:0116:X:0 Application ID ...: D2760001240102000006045502760000 Version ..........: 2.0 Manufacturer .....: Yubico Serial number ....: XXXX Name of cardholder: Harald Hoyer Language prefs ...: de Sex ..............: male URL of public key : hkp://pool.sks-keyservers.net Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 23 Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14 Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14 Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14 General key info..: [none] $ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276 ``` To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config: ```properties RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3 StreamLocalBindUnlink yes ForwardAgent yes ``` OpenSSH has a [bug](https://bugzilla.mindrot.org/show_bug.cgi?id=2601), so that `StreamLocalBindUnlink yes` does not work in the client configuration and thus, you have to add that option to the remote server `/etc/ssh/sshd_config`