GPG, Smartcard and ssh

Harald Hoyer July 21, 2016 #gpg #yubikey #fedora

This blog post shows how to tweak Fedora, if you want to use a smartcard with OpenPGP and use it also as a ssh key. It also serves me as a recipe for fresh installations.

First, you have to disable gnome-keyring-ssh by:

$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop \
 $HOME/.config/autostart
$ echo "Hidden=true" \
 >> $HOME/.config/autostart/gnome-keyring-ssh.desktop

Because the pcscd daemon does not play nicely with scdaemon from gpg, we have two options.

  1. disable pcscd completely (recommended) by

    $ sudo systemctl mask --now pcscd.socket
    $ sudo systemctl mask --now pcscd.service
    
  2. or a $HOME/.gnupg/scdaemon.conf with

    pcsc-driver /usr/lib64/libpcsclite.so.1
    disable-ccid
    

In $HOME/.gnupg/gpg.conf use-agent should be enabled (should be the default anyway).

$HOME/.gnupg/gpg-agent.conf should have: enable-ssh-support

To point ssh to the gpg-agent my .bashrc contains the line:

unset SSH_AGENT_PID
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

on newer systems, this can be

export SSH_AUTH_SOCK=/run/user/$UID/gnupg/S.gpg-agent.ssh

Relogin or reboot to get rid of gnome-keyring-ssh.

Now gpg2 --card-status and ssh-add -L should work as expected:

$ gpg2 --card-status
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006045502760000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXX
Name of cardholder: Harald Hoyer
Language prefs ...: de
Sex ..............: male
URL of public key : hkp://pool.sks-keyservers.net
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 23
Signature key ....: 8745 5B0B B9F9 CDC3 619D C4FE 7BDB F42F AF81 54A2 created ....: 2016-07-11 18:25:14
Encryption key....: 380C 0F4C A077 779A D4D4 93D6 F3FC E22D CDB8 95CB created ....: 2016-07-11 18:25:14
Authentication key: 8D02 04DF 42FC 2133 8356 DDFB EB09 2344 9913 9572 created ....: 2016-07-11 18:25:14
General key info..: [none]

$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSMiUCfHXItvZuUP3xO7hjIBukVl9cILSjSapM8WNS8IdyJJrZE00fy30jUwxCeCzSGDMi3WwLlAby99jVyTRgdxb5qHPWaT0k7MmkWLs9vydpZBLLeeyS3KQBrGcwrIA0h0p7A1kCXesiVL6cQCsGMxfQf1YWFBaL5VamXxpfSmz6ia8BEtQJjhJ2NpsyAuAJEs2dPdc5xn/ZRbY+pHV8ruoK0JJdH3c/us6rbrNHKfGnkE5anbKNoMposie3ADjc5ElEFjfAmJ7WxFGvRHA5P51B3jcjSYx4YQvUGq3sW3AhBjfD9VuBIjXDR6B6PKNZSAesWjatTA4fJY1mcw1x cardno:000604550276

To forward your gpg-agent and ssh-agent to remote machines, I add the following lines to my .ssh/config:

RemoteForward /home/harald/.gnupg/S.gpg-agent /home/harald/.gnupg/S.gpg-agent
RemoteForward /home/harald/.gnupg/S.gpg-agent3 /home/harald/.gnupg/S.gpg-agent3
StreamLocalBindUnlink yes
ForwardAgent yes

OpenSSH has a bug, so that StreamLocalBindUnlink yes does not work in the client configuration and thus, you have to add that option to the remote server /etc/ssh/sshd_config