diff options
author | Michael Vorburger ⛑️ <mike@vorburger.ch> | 2019-09-16 23:59:50 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-16 23:59:50 +0200 |
commit | de193ee3635ae199a62f7a54322b4ef84c83eb10 (patch) | |
tree | 5b2699fe7d1deeabde9e2e6ca3d468ae67fdae4c | |
parent | Mention forwarding risk and Ubuntu multiverse repository, fix #116. (diff) | |
download | YubiKey-Guide-de193ee3635ae199a62f7a54322b4ef84c83eb10.tar.gz |
clarify that SSH_AUTH_SOCK should only be set locally, not on the remote server
-rw-r--r-- | README.md | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -1592,7 +1592,7 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" gpg-connect-agent updatestartuptty /bye > /dev/null ``` -On some systems, you may need to use the following instead: +On modern systems, you can use the following instead, as `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value; and is therefore typically better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available: ```console export GPG_TTY="$(tty)" @@ -1600,6 +1600,9 @@ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent ``` +Note that `SSH_AUTH_SOCK` normally only needs to be set on the *local* laptop (workstation), where the YubiKey is plugged in. On the *remote* server that we SSH into, `ssh` will automatically set `SSH_AUTH_SOCK` to something like `/tmp/ssh-mXzCzYT2Np/agent.7541` when we connect. We therefore do **NOT** manually set `SSH_AUTH_SOCK` on the server. (Doing so would break [SSH Agent Forwarding](#remote-machines-agent-forwarding).) + + ## Copy public key **Note** It is *not* necessary to import the corresponding GPG public key in order to use SSH. @@ -1848,7 +1851,9 @@ RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant #### Remote host configuration -Add the following to the shell rc file: +You may have to add the following to the shell rc file (on Linux, this is only required on the laptop/workstation +where the YubiKey is plugged in, and **NOT** on the remote host server that you connect to; in fact at least on +some Linux distributions, changing SSH_AUTH_SOCK on the server breaks agent forwarding): ``` export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) |