Using gpg for ssh (Maximum Portability)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Using gpg for ssh (Maximum Portability)

Christopher Jones
I recently setup my GPG keys on yubikey. I carry it around and its pretty great. One of the ways I use these keys is to ssh into various systems. While the hardware is portable the system is a little more difficult.

It's a task to setup gpg on new boxes: Import pub key, ultimately trust my key, and muck around with gpg and ssh agents.

Are there ways people on this list have found to make using PGP for ssh more portable? Any shortcuts for scripting some of this nonsense out, or a any way to carry what you need on a single hardware device like a yubikey?

I use fedora, Redd Hat, and windows with cygwin primarily,

Thanks!

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using gpg for ssh (Maximum Portability)

Peter Lebbing
On 18/06/17 03:48, Christopher Jones wrote:
> It's a task to setup gpg on new boxes: Import pub key, ultimately trust
> my key, and muck around with gpg and ssh agents.

If all you want to do is SSH, you don't need your key, so it reduces to
"muck around with gpg and ssh agents". As long as gpg-agent is correctly
configured to be an SSH agent, it will automagically use a plugged in
OpenPGP card with material in the Auth slot to do SSH authentication. No
OpenPGP key needed at all!

Configuring gpg as an SSH agent for Linux in the easiest way is very,
very distribution dependent. If you're lucky, it's a single switch
somewhere. systemd, or Xsession, or something similar.

And for non-Linux, I have no experience with that.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using gpg for ssh (Maximum Portability)

Andrew Gallagher
On 2017/06/21 18:17, Peter Lebbing wrote:
> On 18/06/17 03:48, Christopher Jones wrote:
>> It's a task to setup gpg on new boxes: Import pub key, ultimately trust
>> my key, and muck around with gpg and ssh agents.
>
> Configuring gpg as an SSH agent for Linux in the easiest way is very,
> very distribution dependent. If you're lucky, it's a single switch
> somewhere. systemd, or Xsession, or something similar
For any linux distro that provides a recent gnupg 2.1, the easiest way
(not necessarily the Proper Way) is to put the following in your ~/.profile:

----
if [ -z "$SSH_CLIENT" ]; then
        export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh
        export GPG_AGENT_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent
        gpg-connect-agent /bye
fi
----

$XDG_RUNTIME_DIR normally expands to /run/user/<UID>. For v2.0, the
default socket location is under ~/.gnupg, but otherwise the trick is
the same. Note the vital <if> statement that prefers a forwarded
ssh-agent over a local gpg-agent.

This avoids having to mess around with distro/gui-specific session
configurations, and also has the advantage that you can cut and paste it
onto the command line of a logged-in system. There is no need to disable
the vanilla ssh-agent - just override $SSH_AUTH_SOCK and nothing will
talk to it.

A



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using gpg for ssh (Maximum Portability)

Christopher Jones
Peter and Andrew,
   Thank you both for your responses. I'm going to see if I can't use your advice to ease my frequent system hoteling woes.

-CJones

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...