mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-12-22 08:28:55 +00:00
remove multiple hosts
This commit is contained in:
parent
92d4212019
commit
d6848d5440
141
README.md
141
README.md
@ -24,14 +24,14 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
|
||||
* [OneRNG](#onerng)
|
||||
- [Generate keys](#generate-keys)
|
||||
* [Temporary working directory](#temporary-working-directory)
|
||||
* [Harden configuration](#harden-configuration)
|
||||
* [Hardened configuration](#hardened-configuration)
|
||||
- [Certify key](#certify-key)
|
||||
- [Sign with existing key](#sign-with-existing-key)
|
||||
- [Subkeys](#subkeys)
|
||||
* [Signing](#signing)
|
||||
* [Encryption](#encryption)
|
||||
* [Authentication](#authentication)
|
||||
* [Add extra identities](#add-extra-identities)
|
||||
* [Extra Identities](#extra-identities)
|
||||
- [Verify](#verify)
|
||||
- [Export secret keys](#export-secret-keys)
|
||||
- [Revocation certificate](#revocation-certificate)
|
||||
@ -48,7 +48,6 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
|
||||
- [Verify card](#verify-card)
|
||||
- [Multiple YubiKeys](#multiple-yubikeys)
|
||||
* [Switching between YubiKeys](#switching-between-yubikeys)
|
||||
- [Multiple Hosts](#multiple-hosts)
|
||||
- [Finish](#finish)
|
||||
- [Using keys](#using-keys)
|
||||
- [Rotating keys](#rotating-keys)
|
||||
@ -66,19 +65,15 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
|
||||
* [Remote Machines (SSH Agent Forwarding)](#remote-machines-ssh-agent-forwarding)
|
||||
+ [Use ssh-agent ](#use-ssh-agent)
|
||||
+ [Use S.gpg-agent.ssh](#use-sgpg-agentssh)
|
||||
+ [Chained SSH Agent Forwarding](#chained-ssh-agent-forwarding)
|
||||
+ [Chained SSH agent forwarding](#chained-ssh-agent-forwarding)
|
||||
* [GitHub](#github)
|
||||
* [OpenBSD](#openbsd-1)
|
||||
* [Windows](#windows-1)
|
||||
+ [WSL](#wsl)
|
||||
- [Use ssh-agent or use S.weasel-pageant](#use-ssh-agent-or-use-sweasel-pageant)
|
||||
- [Prerequisites](#prerequisites)
|
||||
- [WSL configuration](#wsl-configuration)
|
||||
- [Remote host configuration](#remote-host-configuration)
|
||||
* [macOS](#macos-1)
|
||||
- [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding)
|
||||
* [Steps for older distributions](#steps-for-older-distributions)
|
||||
* [Chained GPG Agent Forwarding](#chained-gpg-agent-forwarding)
|
||||
* [Chained GnuPG agent forwarding](#chained-gnupg-agent-forwarding)
|
||||
- [Using Multiple Keys](#using-multiple-keys)
|
||||
- [Adding an identity](#adding-an-identity)
|
||||
* [Updating YubiKey](#updating-yubikey)
|
||||
@ -310,10 +305,10 @@ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yub
|
||||
Copy it to a USB drive:
|
||||
|
||||
```console
|
||||
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb; sync
|
||||
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb ; sync
|
||||
```
|
||||
|
||||
With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.
|
||||
With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#hardened-configuration), as it was done when creating the image.
|
||||
|
||||
## OpenBSD
|
||||
|
||||
@ -357,7 +352,7 @@ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
|
||||
|
||||
## OneRNG
|
||||
|
||||
Configure [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software:
|
||||
Configure [rng-tools](https://wiki.archlinux.org/title/Rng-tools):
|
||||
|
||||
```console
|
||||
sudo apt -y install at rng-tools python3-gnupg openssl
|
||||
@ -398,7 +393,7 @@ Create a temporary directory which will be cleared on [reboot](https://en.wikipe
|
||||
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
|
||||
```
|
||||
|
||||
## Harden configuration
|
||||
## Hardened configuration
|
||||
|
||||
Import or create a hardened configuration for GnuPG:
|
||||
|
||||
@ -787,7 +782,7 @@ Finish by saving the keys:
|
||||
gpg> save
|
||||
```
|
||||
|
||||
## Add extra identities
|
||||
## Extra Identities
|
||||
|
||||
**Optional** To add additional email addresses or identities, use `adduid`
|
||||
|
||||
@ -1166,7 +1161,7 @@ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
|
||||
|
||||
**Keyserver**
|
||||
|
||||
**Optional** Upload the public key to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
|
||||
**Optional** Upload the public key to a public keyserver:
|
||||
|
||||
```console
|
||||
gpg --send-key $KEYID
|
||||
@ -1182,6 +1177,23 @@ Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
|
||||
gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
|
||||
```
|
||||
|
||||
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
|
||||
|
||||
```console
|
||||
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
|
||||
```
|
||||
|
||||
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
|
||||
|
||||
```console
|
||||
gpg/card> admin
|
||||
|
||||
gpg/card> url
|
||||
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
|
||||
|
||||
gpg/card> quit
|
||||
```
|
||||
|
||||
# Configure YubiKey
|
||||
|
||||
Insert YubiKey and use GnuPG to configure it:
|
||||
@ -1452,81 +1464,6 @@ GnuPG will scan the first YubiKey for keys and recreate the stubs to point to th
|
||||
|
||||
To use the second YubiKey, repeat the command.
|
||||
|
||||
# Multiple Hosts
|
||||
|
||||
Export the public key and trust setting from the current host:
|
||||
|
||||
```console
|
||||
gpg --armor --export $KEYID > gpg-public-key-$KEYID.asc
|
||||
|
||||
gpg --export-ownertrust > gpg-owner-trust.txt
|
||||
```
|
||||
|
||||
Move both files to the second host, then define the key ID:
|
||||
|
||||
```console
|
||||
export KEYID=0xF0F2CFEB04341FB5
|
||||
```
|
||||
|
||||
Import the public key:
|
||||
|
||||
```console
|
||||
gpg --import gpg-public-key-$KEYID.asc
|
||||
```
|
||||
|
||||
Import the trust setting:
|
||||
|
||||
```console
|
||||
gpg --import-ownertrust < gpg-owner-trust.txt
|
||||
```
|
||||
|
||||
Insert YubiKey and import key stubs:
|
||||
|
||||
```console
|
||||
gpg --card-status
|
||||
```
|
||||
|
||||
Or download from a public key server:
|
||||
|
||||
```console
|
||||
gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv $KEYID
|
||||
```
|
||||
|
||||
Configure trust:
|
||||
|
||||
```console
|
||||
$ gpg --edit-key $KEYID
|
||||
gpg> trust
|
||||
Your decision? 5
|
||||
Do you really want to set this key to ultimate trust? (y/N) y
|
||||
gpg> quit
|
||||
```
|
||||
|
||||
The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
|
||||
|
||||
```console
|
||||
[[ ! "$KEYID" =~ ^"0x" ]] && KEYID="0x${KEYID}"
|
||||
URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
|
||||
```
|
||||
|
||||
Edit YubiKey with `gpg --edit-card` and the Admin PIN:
|
||||
|
||||
```console
|
||||
gpg/card> admin
|
||||
|
||||
gpg/card> url
|
||||
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
|
||||
|
||||
gpg/card> quit
|
||||
```
|
||||
|
||||
With the URL on YubiKey, retrieve the public key:
|
||||
|
||||
```console
|
||||
gpg/card> fetch
|
||||
|
||||
gpg/card> quit
|
||||
```
|
||||
|
||||
# Finish
|
||||
|
||||
@ -1615,6 +1552,14 @@ Or download the public key from a keyserver:
|
||||
gpg --recv $KEYID
|
||||
```
|
||||
|
||||
Or with the URL on YubiKey, retrieve the public key:
|
||||
|
||||
```console
|
||||
gpg/card> fetch
|
||||
|
||||
gpg/card> quit
|
||||
```
|
||||
|
||||
Edit the Certify key:
|
||||
|
||||
```console
|
||||
@ -2010,7 +1955,7 @@ ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000
|
||||
|
||||
## (Optional) Save public key for identity file configuration
|
||||
|
||||
By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
|
||||
By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://words.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
|
||||
|
||||
The argument provided to `IdentityFile` is traditionally the path to the _private_ key file (for example `IdentityFile ~/.ssh/id_rsa`). For YubiKey, `IdentityFile` must point to the _public_ key file, and `ssh` will select the appropriate private key from those available via ssh-agent. To prevent `ssh` from trying all keys in the agent, use `IdentitiesOnly yes` along with one or more `-i` or `IdentityFile` options for the target host.
|
||||
|
||||
@ -2135,7 +2080,7 @@ After sourcing the shell rc file, `ssh-add -l` will return the correct public ke
|
||||
|
||||
**Note** In this process no gpg-agent in the remote is involved, hence `gpg-agent.conf` in the remote is of no use. Also pinentry is invoked locally.
|
||||
|
||||
### Chained SSH Agent Forwarding
|
||||
### Chained SSH agent forwarding
|
||||
|
||||
If you use `ssh-agent` provided by OpenSSH and want to forward it into a *third* box, you can just `ssh -A third` on the *remote*.
|
||||
|
||||
@ -2265,18 +2210,12 @@ The goal is to configure SSH client inside WSL work together with the Windows ag
|
||||
|
||||
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
|
||||
|
||||
#### Use ssh-agent or use S.weasel-pageant
|
||||
|
||||
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information.
|
||||
|
||||
#### Prerequisites
|
||||
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires:
|
||||
|
||||
* Ubuntu 16.04 or newer for WSL
|
||||
* Kleopatra
|
||||
* [Windows configuration](#windows)
|
||||
|
||||
#### WSL configuration
|
||||
|
||||
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
|
||||
|
||||
Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to the shell rc file. Use a named socket here so it can be used in the `RemoteForward` directive of `~/.ssh/config`. Source it with `source ~/.bashrc`.
|
||||
@ -2291,8 +2230,6 @@ RemoteForward <remote SSH socket path> /tmp/S.weasel-pageant
|
||||
|
||||
**Note** The remote SSH socket path can be found with `gpgconf --list-dirs agent-ssh-socket`
|
||||
|
||||
#### Remote host configuration
|
||||
|
||||
Add the following to the shell rc file:
|
||||
|
||||
```console
|
||||
@ -2436,7 +2373,7 @@ extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
|
||||
|
||||
See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting.
|
||||
|
||||
## Chained GPG Agent Forwarding
|
||||
## Chained GnuPG agent forwarding
|
||||
|
||||
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user