diff options
author | ahriman <ahriman@falte.red> | 2019-09-02 17:42:06 -0400 |
---|---|---|
committer | ahriman <ahriman@falte.red> | 2019-09-02 17:42:06 -0400 |
commit | 0381bce35845cb387fcd7ce124da60b9c45c611a (patch) | |
tree | a28be6c57f92aa6b183f5ccc453cddfecea3c833 /pages/gpgssh.md | |
download | wiki-0381bce35845cb387fcd7ce124da60b9c45c611a.tar.gz |
tildewiki
Diffstat (limited to 'pages/gpgssh.md')
-rw-r--r-- | pages/gpgssh.md | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/pages/gpgssh.md b/pages/gpgssh.md new file mode 100644 index 0000000..96ab7cb --- /dev/null +++ b/pages/gpgssh.md @@ -0,0 +1,76 @@ +<!-- +title: GnuPG for SSH Authentication +Description: Using gpg-agent as an alternative to ssh-agent +author: ahriman +--> + +# Using GPG for SSH Authentication + +It's a fairly simply process to have gpg-agent handle your SSH +authentication. To start off, you'll need to have a private GnuPG key +generated with an appropriate subkey for authentication. Once that's +taken care of, open up `~/.gnupg/gpg-agent.conf` + +``` +$ cat ~/.gnupg/gpg-agent.conf + enable-ssh-support + default-cache-ttl 60 + max-cache-ttl 120 +``` + +Now you'll need to append the following to `~/.bashrc`, or the appropriate +rc file for your shell + +``` +$ cat ~/.bashrc + export GPG_TTY="$(tty)" + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + gpg-connect-agent updatestartuptty /bye > /dev/null +``` + +Once that's done, you'll need to let `gpg-agent` know which GnuPG subkey +to use for SSH authentication. Run the following and copy the keygrip +associated with the subkey you've generated specifically for authentication. +Don't use *my* keygrip, however. The output here is just for an example. `GnuPG` +computes the keygrips from the public key, so nothing here is sensitive +or private. + +``` +$ gpg --with-keygrip -k ben@gbmor.dev + pub rsa4096/0xEAB272409CD12FF0 2018-11-25 [SC] + Key fingerprint = 291A AFF7 A291 7DAB 0E01 6B9C EAB2 7240 9CD1 2FF0 + Keygrip = DE06FAA273017BBD8778F94639611CEF53AB9EBC + uid [ultimate] Ben Morrison <ben@gbmor.dev> + sub rsa4096/0xF9C3B650612249D9 2018-11-25 [E] + Keygrip = 751ADAC109736316B6ABEBB3F2BDF4612F8A630C + sub rsa4096/0x4969E5731CFEB507 2018-11-25 [A] + Keygrip = 44D1BDC0C1931E2E018E7CE49CDE14BFB4EA11E3 + sub rsa4096/0x8F192E4720BB0DAC 2018-11-25 [S] + Keygrip = 240966CBF2791D8C34D0DA646925435FED49F9BF +``` + +Now, open `~/.gnupg/sshcontrol` and paste the keygrip into that file. +It's the keygrip just below the key marked `[A]` for authentication. +Verify that the correct keygrip has been selected by running these two +and comparing the output: +``` +$ ssh-add -L + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g + KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== cardno:000609861127 +``` +``` +$ gpg --export-ssh-key <keyid> + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCakJKfXUuX/ZDxJQySdxCeQfxTu0g + KPCESGDyadvFAPDxtcTfOrxfqJLZx8CodkC7hzHT/QEy/xMgN18Q== openpgp:0x1CFEB507 +``` +The `ssh` output should match the `gpg` output (except maybe the little +trailing comment, like here). Also, I've removed most of the public key I'm using as +an example for brevity's sake. It should be quite a bit longer than this. +If `ssh` is correct, kill off `gpg-agent` +``` +$ pkill gpg-agent +``` + +Then open up a new terminal and attempt to connect to a server! + +[back](/) |