harald/blog
1
0
Fork 0
Code Activity
blog/content/2016/07/21/gpg-smartcard-and-ssh.md
Harald Hoyer 429a176559 initial commit
2020-05-19 18:20:18 +02:00

87 lines
3.1 KiB
Markdown
Raw Blame History

+++
title = "GPG, Smartcard and ssh"
date = 2016-07-21T14:35:14+00:00
+++
This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key.
It also serves me as a recipe for fresh installations.
<!-- more -->
First, you have to disable gnome-keyring-ssh by:
```console
$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \
$HOME/.config/autostart
$ echo "Hidden=true" \
>> $HOME/.config/autostart/gnome-keyring-ssh.desktop
```
Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options.
1. disable pcscd completely (recommended) by
```console
$ sudo systemctl mask --now pcscd.socket
$ sudo systemctl mask --now pcscd.service
```
2. or a `$HOME/.gnupg/scdaemon.conf` with
```properties
pcsc-driver /usr/lib64/libpcsclite.so.1
disable-ccid
```
In `$HOME/.gnupg/gpg.conf` `use-agent` should be enabled (should be the default anyway).
`$HOME/.gnupg/gpg-agent.conf` should have: `enable-ssh-support`
To point ssh to the gpg-agent my `.bashrc` contains the line:
```bash
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
```
on newer systems, this can be
```bash
export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh
```
Relogin or reboot to get rid of gnome-keyring-ssh.
Now `gpg2 --card-status` and `ssh-add -L` should work as expected:
```console
$ gpg2 --card-status
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006045502760000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXX
Name of cardholder: Harald Hoyer
Language prefs ...: de
Sex ..............: male
URL of public key : hkp://pool.sks-keyservers.net
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 23
Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14
Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14
Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14
General key info..: [none]
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276
```
To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config:
```properties
RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent
RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3
StreamLocalBindUnlink yes
ForwardAgent yes
```
OpenSSH has a [bug](https://bugzilla.mindrot.org/show_bug.cgi?id=2601), so that `StreamLocalBindUnlink yes` does not
work in the client configuration and thus, you have to add that option to the remote server `/etc/ssh/sshd_config`
View git blame Copy permalink