GPG, Smartcard and ssh
Harald Hoyer July 21, 2016 #gpg #yubikey #fedoraThis blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key. It also serves me as a recipe for fresh installations.
First, you have to disable gnome-keyring-ssh by:
$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \
$HOME/.config/autostart
$ echo "Hidden=true" \
>> $HOME/.config/autostart/gnome-keyring-ssh.desktop
Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options.
-
disable pcscd completely (recommended) by
$ sudo systemctl mask --now pcscd.socket $ sudo systemctl mask --now pcscd.service
-
or a
$HOME/.gnupg/scdaemon.conf
withpcsc-driver /usr/lib64/libpcsclite.so.1 disable-ccid
In $HOME/.gnupg/gpg.conf
use-agent
should be enabled (should be the default anyway).
$HOME/.gnupg/gpg-agent.conf
should have: enable-ssh-support
To point ssh to the gpg-agent my .bashrc
contains the line:
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
on newer systems, this can be
export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh
Relogin or reboot to get rid of gnome-keyring-ssh.
Now gpg2 --card-status
and ssh-add -L
should work as expected:
$ gpg2 --card-status
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006045502760000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXX
Name of cardholder: Harald Hoyer
Language prefs ...: de
Sex ..............: male
URL of public key : hkp://pool.sks-keyservers.net
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 23
Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14
Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14
Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14
General key info..: [none]
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276
To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config:
RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent
RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3
StreamLocalBindUnlink yes
ForwardAgent yes
OpenSSH has a bug, so that StreamLocalBindUnlink yes
does not
work in the client configuration and thus, you have to add that option to the remote server /etc/ssh/sshd_config