Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 07:46:33 +0200, Werner Koch via Gnupg-users
escribió:
> On Thu, 2 May 2024 15:31, Matthias Apitz said:
>
> > which locks the card again. Any ideas?
>
> If you really want to reset the card after an operation _and_ you are
> using pcscd you can use
>
> ...
Thanks for all the hints. The problem with this OpenPGP card in the
cellphone L5 is, that it is not an USB dongle which one could pull out
to invalidate the access to the keys. It sits inside the phone as a
Micro-SIM below the battery.
So I now do with ~/.ssh/config:
Host *
# note: this needs in /etc/ssh/ssh_config: PermitLocalCommand yes
#
LocalCommand gpgconf --reload scdaemon
This resets the card right after the PIN was provided for the SSH
session. This works fine for ssh(1) command, but not for the scp(1)
command. Even when I say:
$ scp "-oPermitLocalCommand=yes" foo www.unixarea.de:.
The "ssh" launched by "scp" shows in strace that it is launched with
the valeu "-oPermitLocalCommand=no":
$ grep exec scp.tr
10205 execve("/usr/bin/scp", ["scp", "-oPermitLocalCommand=yes", "foo",
"www.unixarea.de"...], 0xdf2147a0 /* 32 vars */) = 0
10206 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oPermitLocalCommand=no",
"-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o",
"PermitLocalCommand=yes", "-oForwardAgent=no", "-l", "", "--",
"www.unixarea.de", "scp -t ."], 0xe38c6780 /* 32 vars */) = 0
To overcome this problem I use now a macro "scp" defined in ~/.bashrc
function scp {
$(which scp) $@
# lock the OpenPGP card again
gpgconf --reload scdaemon
}
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Thu, 2 May 2024 15:31, Matthias Apitz said: > which locks the card again. Any ideas? If you really want to reset the card after an operation _and_ you are using pcscd you can use gpg-connect-agent 'scd disconnect' /bye But killing scdaemon is probably the easier and more reliable way: gpgconf -K scdaemon does this by sending the kill command gpg-connect-agent 'scd killscd' /bye Some card applications require a VERIFY command (i.e. asking for the PIN) for each operation. An OpenPGP card does this only for the signing key and only if that feature has been enabled (force command of --card-edit). Remember that there is no PIN cache[1] but the card application tales the descision when and how often a PIN is required after power up (of the card). If you only want to be asked whether the ssh-key shall be used, you can put a line Confirm: yes into the private-keys-v1.d/.key file of the AUTH (shadow-)key: *** Confirm If given and the value is "yes", a user will be asked confirmation by a dialog window when the key is about to be used for PKSIGN/PKAUTH/PKDECRYPT operation. If the value is "restricted", it is only asked for the access through extra/browser socket. Shalom-Salam, Werner [1] Actually there is a PIN cache to allow a Yubikey to switch between the OpenPGP and PIV appications back anf forth without requiring a PIN after each switch. A sample use-case is sending PGP signed mails and also using a browser or IMAP server with user certificate based authentication. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Thu, 2 May 2024 16:58, Matěj Cepl said: > rather dubious: systemd can certainly manage a dependence on > shared resource, and concurrent running of two processes at Right. However, systemd does not use the same locking scheme as gnupg uses to avoid duplicate daemon startup. The gnupg internal startup of required daemons has been there before systemd was invented and it needs to work on all platforms - not just on Linux. Having different schemes here is major problem but the former Debian maintainer (dkg) promised to take care of all problems due to his patches which added that systemd startup (--supervised) feature. Given that history I consider it unlikely that Debian will ever provide an enhanced ssh version which can be configured to start its ssh-agent on connection failure. Thus we need to keep on using the updatestartuptty thing when using a curses pinentry or a remote X session. The updatestartup thing does actually two things: Make sure that gpg-agent is launched (most other commands will do this also) and, more important, to tell gpg-agent something about the current environment (GPG_TTY, DISPLAY, etc). I have a patch somewhere to extend the ssh-agent-protocol to convey envvars but more or less forgot about it. it would be a useful things also for other ssh-agent's > I still haven’t investigated this piece of Werner’s advice: > >> Using no-autostart in the common.conf might be useful. We use it always >> when running a remote gpg. That is easy: On a remote box you don't want to run gpg-agent because this shall instead be handled by ssh socket forwarding. Without such an option running gpg might start gpg-agent on the remote box and thus take over the forwarded socket. Instead of adding "no-autostart" to all config files of gnupg, adding this to common.conf will be sufficient. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Thu May 2, 2024 at 3:55 PM CEST, Ming Kuang via Gnupg-users wrote: > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066960.html Just for the record, I find the explanation in the later email rather dubious: systemd can certainly manage a dependence on shared resource, and concurrent running of two processes at once. My deep suspicion is that we have here just a little case of the NIH syndrome (plus, a lack of understanding of containerized systems like my MicroOS). I still haven’t investigated this piece of Werner’s advice: > Using no-autostart in the common.conf might be useful. We use it always > when running a remote gpg. Best, Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 In political activity men sail a boundless and bottomless sea; there is neither harbor for shelter nor floor for anchorage, neither starting point nor appointed destination. -- Michael Oakeshott: Rationalism in Politics E09FEF25D96484AC.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
> I run the L5 with its OpenPGP card sind 2021 and I don't remember the > exact setup now. In any case, gpg-agent is there after any reboot. > One issue remains with the now working OpenPGP card for SSH: When the correct PIN was provided the card remains unlocked, regardless if or not the SSH session was successful. This is a security problem: On mobile theft all gpg files are open. Until now I only used the pass command from password-store and added at its end: purism@pureos:~$ tail -4 /usr/bin/pass # gpgconf --reload scdaemon sleep 2 exit 0 which locks the card again. Any ideas? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 08:13:12 -0400, Henning Follmann escribió: > On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote: > > > > gpg-agent was always there, started by system boot. > > Are you certain? Did you change that at some point? Because if you use the > default pureOS it doesn't. Just say'n Yes. It gets started by systemd (proc 719 here) at boot time: root@pureos:/home/purism# ps axl | grep gpg-agent | grep -v grep 0 10002246 719 20 0 83436 5312 do_sel SLs ? 0:01 /usr/bin/gpg-agent --supervised root@pureos:/home/purism# ps axl | grep 719 | head -1 4 1000 719 1 20 0 16440 8448 do_epo Ss ? 0:02 /lib/systemd/systemd --user I run the L5 with its OpenPGP card sind 2021 and I don't remember the exact setup now. In any case, gpg-agent is there after any reboot. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote: > El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió: > > > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > > > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via > > > Gnupg-users escribió: > > > > > > > and because gpg-agent does not usually run as deamon make shure it is > > running before you use ssh > > > > gpgconf --launch gpg-agent > > gpg-agent was always there, started by system boot. Are you certain? Did you change that at some point? Because if you use the default pureOS it doesn't. Just say'n > > > > > > > You also could add that to your .bashrc > > The missing piece to get it working now was tell gpg-agent the correct > TTY with: > > gpg-connect-agent updatestartuptty /bye > > which perhaps gpg command does, but ssh can't. > > Thanks for all the hints I got. > > > matthias > > -- > Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub > > I am not at war with Russia. Я не воюю с Россией. > Ich bin nicht im Krieg mit Russland. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió: > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via > > Gnupg-users escribió: > > > > > ... > > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > > > on some distros the X config greps for this to decide whether to start > > > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > > > always enabled and thus the option is not really required. > > > [deleted] > > I do not know what you did, but that looks like a mess > Your pinentry was working before (I guess) and you should not change > anything there. > > And there is no need for using trace - way too complicated! > > as Werner said add > > enable-ssh-support > > to your ~/.gnupg/gpg-agent.conf I have had this in that file (as I said in my last mail) > You might also create a ~/.gnupg/sshcontrol and add the keygrip of your > authentication subkey in there > > and then finally tell ssh where to find the ssh-agnet socket. gpg will tell > you that by: > > gpgconf --list-dirs agent-ssh-socket > > just put > > export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) I have had this too. > > in your ~/.bashrc > > and because gpg-agent does not usually run as deamon make shure it is > running before you use ssh > > gpgconf --launch gpg-agent gpg-agent was always there, started by system boot. > > > You also could add that to your .bashrc The missing piece to get it working now was tell gpg-agent the correct TTY with: gpg-connect-agent updatestartuptty /bye which perhaps gpg command does, but ssh can't. Thanks for all the hints I got. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via > Gnupg-users escribió: > > > ... > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > > on some distros the X config greps for this to decide whether to start > > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > > always enabled and thus the option is not really required. > [deleted] I do not know what you did, but that looks like a mess Your pinentry was working before (I guess) and you should not change anything there. And there is no need for using trace - way too complicated! as Werner said add enable-ssh-support to your ~/.gnupg/gpg-agent.conf You might also create a ~/.gnupg/sshcontrol and add the keygrip of your authentication subkey in there and then finally tell ssh where to find the ssh-agnet socket. gpg will tell you that by: gpgconf --list-dirs agent-ssh-socket just put export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) in your ~/.bashrc and because gpg-agent does not usually run as deamon make shure it is running before you use ssh gpgconf --launch gpg-agent You also could add that to your .bashrc -H -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users
escribió:
> ...
> On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> on some distros the X config greps for this to decide whether to start
> the ssh-agent or leave this to gpg-agent. Technically the ssh support is
> always enabled and thus the option is not really required.
I have this working now already up the point that ssh asks the gpg-agent
to unlock the card and ask for the PIN to do so. But this is failing
because gpg-agent uses:
$ grep pinentry agent.tr
4692 execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"],
0xa8004be0 /* 41 vars */) = 0
which fails with an unsupported ioctl to fd=0
while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses
$ grep pinentry agent-gpg.tr
4997 read(10, "OPTION allow-pinentry-notify\n", 1002) = 29
4997 write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40
5001 execve("/usr/bin/pinentry", ["pinentry"], 0xa80016d0 /* 41 vars */) = 0
i.e. the pinentry command without --display ...
my config file for gpg-agent look as:
$ cat .gnupg/gpg-agent.conf
enable-ssh-support
debug-pinentry
debug ipc
log-file /tmp/gpg-agent-debug.log
max-cache-ttl 1
# pinentry-program /usr/bin/pinentry
I tried to play with the config value of pinentry-program without luck.
The environment of the gpg-agent contains:
GNUPGHOME=/home/purism/.gnupg
GPG_TTY=not a tty
Any idea how to get gpg-agent asking correctly for the PIN?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Wed, 1 May 2024 11:50, Henning Follmann said: > Well, if you have a authentication subkey on your card you could use that > for ssh authentication directly. > Your gpg-agent would then act as ssh-agent. I would even claim that this is the best way to work with ssh - I do this now for nearly 20 years: Noteworthy changes in version 1.9.16 (2005-04-21) - * gpg-agent does now support the ssh-agent protocol and thus allows to use the pinentry as well as the OpenPGP smartcard with ssh. This even works on Windows as a preplcement of pageant and more recently ofbthe native OpenSSH Windows client. On Linux take care to add "enable-ssh-support" to gpg-agent.conf because on some distros the X config greps for this to decide whether to start the ssh-agent or leave this to gpg-agent. Technically the ssh support is always enabled and thus the option is not really required. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
On Wed, May 01, 2024 at 04:32:54PM +0200, Matthias Apitz wrote: > > Hello, > > I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to > be exactly with an OpenPGP card in the phone). I can do fine: > > $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card > $ ssh www.unixarea.de > Enter passphrase for key '/home/guru/.ssh/id_rsa': > ... > $ rm id_rsa # so it can't get lost of teft of the L5 > > Is there some other solution for GnuPG+SSH without writing the private > key id_rsa to a file? Or even better as well without the need of > entering the passphrase for the RSA key? > Well, if you have a authentication subkey on your card you could use that for ssh authentication directly. Your gpg-agent would then act as ssh-agent. That might be a better way to handle this. -H -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
Smart cards like yubikeys, and termux okcagent integrations? _ _ Med vennlig hilsen/Kind regards, Christian C. Phone/Tlf: +47 922 22 603 (Sent from my smartphone device) On Wed, 1 May 2024, 17:19 Matthias Apitz, wrote: > > Hello, > > I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to > be exactly with an OpenPGP card in the phone). I can do fine: > > $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card > $ ssh www.unixarea.de > Enter passphrase for key '/home/guru/.ssh/id_rsa': > ... > $ rm id_rsa # so it can't get lost of teft of the L5 > > Is there some other solution for GnuPG+SSH without writing the private > key id_rsa to a file? Or even better as well without the need of > entering the passphrase for the RSA key? > > Thanks > > matthias > > -- > Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ > +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub > > I am not at war with Russia. > Я не воюю с Россией. > Ich bin nicht im Krieg mit Russland. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
