aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authordrduh <github@duh.to>2019-01-18 05:42:17 +0000
committerGitHub <noreply@github.com>2019-01-18 05:42:17 +0000
commit200df282e1e061f9ba006b8489c1fbdf020871b1 (patch)
tree26599e6659ff4905b9c2e56a88d28eb4160397e7
parentFix keyserver command order to fix #86 (diff)
parentAdded pull request suggestions (diff)
downloadYubiKey-Guide-200df282e1e061f9ba006b8489c1fbdf020871b1.tar.gz
Merge pull request #88 from Wheest/master
Improving Agent Forwarding section
-rw-r--r--README.md73
1 files changed, 54 insertions, 19 deletions
diff --git a/README.md b/README.md
index f558413..82ad7e9 100644
--- a/README.md
+++ b/README.md
@@ -1356,6 +1356,59 @@ $ ssh-add -E md5 -l
When using the key `pinentry` will be invoked to request the key's passphrase. The passphrase will be cached for up to 10 minutes idle time between uses, to a maximum of 2 hours.
+## Remote Machines (agent forwarding)
+
+If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding". This section should help you setup GPG and SSH agent forwarding.
+
+To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
+
+- First, on your local host machine run:
+
+```
+$ gpgconf --list-dirs agent-extra-socket
+```
+
+This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`, though on older linux distros (and macs), it may be `/home/<user>/.gnupg/S/gpg-agent.extra`.
+
+- Next, find the agent socket on your **remote** machine:
+
+```
+$ gpgconf --list-dirs agent-socket
+```
+
+This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
+
+- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes`
+
+- _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works. For example, `rm /run/user/1000/gnupg/S.gpg-agent`. Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
+
+
+- Now you need to import your public keys to the remote machine. This can be done by fetching from a keyserver. Here we show how to copy your public keyring. On your local machine, you need to copy your public keyring to your remote machine
+
+```
+$ scp .gnupg/pubring.kbx remote:~/.gnupg/
+```
+
+- Finally, to enable agent forwarding for a given machine, add the following to your local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
+
+```
+Host
+ Hostname your-domain
+ ForwardAgent yes
+ RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
+ # RemoteForward [remote socket] [local socket]
+```
+
+You should then be able to use your YubiKey as if it were connected to the remote machine.
+
+If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information.
+
+```
+enable-ssh-support
+pinentry-program /usr/bin/pinentry-curses
+extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
+```
+
## GitHub
You can use YubiKey to sign GitHub commits and tags. It can also be used for GitHub SSH authentication, allowing you to push, pull, and commit without a password.
@@ -1465,24 +1518,6 @@ StreamLocalBindUnlink yes
**Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host.
-# Remote Machines (agent forwarding)
-
-If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding". Assuming that you have your YubiKey setup on your host machine.
-
-To enable agent forwarding, ssh using the `-A` flag:
-
-```
-$ ssh -A user@remote
-```
-
-Or add the following to your ssh config file:
-
-```
-Host remote
- ForwardAgent yes
-```
-
-You should then be able to use your YubiKey as if it were connected to the remote machine.
# Troubleshooting
@@ -1538,4 +1573,4 @@ You should then be able to use your YubiKey as if it were connected to the remot
* https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
* https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx
* https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
-
+* https://mlohr.com/gpg-agent-forwarding/