mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2025-01-03 13:17:22 +00:00
clarify that SSH_AUTH_SOCK should only be set locally, not on the remote server
This commit is contained in:
parent
5bbad1fc4c
commit
de193ee363
@ -1592,7 +1592,7 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
|||||||
gpg-connect-agent updatestartuptty /bye > /dev/null
|
gpg-connect-agent updatestartuptty /bye > /dev/null
|
||||||
```
|
```
|
||||||
|
|
||||||
On some systems, you may need to use the following instead:
|
On modern systems, you can use the following instead, as `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value; and is therefore typically better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
export GPG_TTY="$(tty)"
|
export GPG_TTY="$(tty)"
|
||||||
@ -1600,6 +1600,9 @@ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
|||||||
gpgconf --launch gpg-agent
|
gpgconf --launch gpg-agent
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Note that `SSH_AUTH_SOCK` normally only needs to be set on the *local* laptop (workstation), where the YubiKey is plugged in. On the *remote* server that we SSH into, `ssh` will automatically set `SSH_AUTH_SOCK` to something like `/tmp/ssh-mXzCzYT2Np/agent.7541` when we connect. We therefore do **NOT** manually set `SSH_AUTH_SOCK` on the server. (Doing so would break [SSH Agent Forwarding](#remote-machines-agent-forwarding).)
|
||||||
|
|
||||||
|
|
||||||
## Copy public key
|
## Copy public key
|
||||||
|
|
||||||
**Note** It is *not* necessary to import the corresponding GPG public key in order to use SSH.
|
**Note** It is *not* necessary to import the corresponding GPG public key in order to use SSH.
|
||||||
@ -1848,7 +1851,9 @@ RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant
|
|||||||
|
|
||||||
#### Remote host configuration
|
#### Remote host configuration
|
||||||
|
|
||||||
Add the following to the shell rc file:
|
You may have to add the following to the shell rc file (on Linux, this is only required on the laptop/workstation
|
||||||
|
where the YubiKey is plugged in, and **NOT** on the remote host server that you connect to; in fact at least on
|
||||||
|
some Linux distributions, changing SSH_AUTH_SOCK on the server breaks agent forwarding):
|
||||||
|
|
||||||
```
|
```
|
||||||
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
||||||
|
Loading…
Reference in New Issue
Block a user