aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
-rw-r--r--README.md141
1 files changed, 39 insertions, 102 deletions
diff --git a/README.md b/README.md
index 7cc3d87..108c9fa 100644
--- a/README.md
+++ b/README.md
@@ -24,14 +24,14 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [OneRNG](#onerng)
- [Generate keys](#generate-keys)
* [Temporary working directory](#temporary-working-directory)
- * [Harden configuration](#harden-configuration)
+ * [Hardened configuration](#hardened-configuration)
- [Certify key](#certify-key)
- [Sign with existing key](#sign-with-existing-key)
- [Subkeys](#subkeys)
* [Signing](#signing)
* [Encryption](#encryption)
* [Authentication](#authentication)
- * [Add extra identities](#add-extra-identities)
+ * [Extra Identities](#extra-identities)
- [Verify](#verify)
- [Export secret keys](#export-secret-keys)
- [Revocation certificate](#revocation-certificate)
@@ -48,7 +48,6 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
- [Verify card](#verify-card)
- [Multiple YubiKeys](#multiple-yubikeys)
* [Switching between YubiKeys](#switching-between-yubikeys)
-- [Multiple Hosts](#multiple-hosts)
- [Finish](#finish)
- [Using keys](#using-keys)
- [Rotating keys](#rotating-keys)
@@ -66,19 +65,15 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
* [Remote Machines (SSH Agent Forwarding)](#remote-machines-ssh-agent-forwarding)
+ [Use ssh-agent ](#use-ssh-agent)
+ [Use S.gpg-agent.ssh](#use-sgpg-agentssh)
- + [Chained SSH Agent Forwarding](#chained-ssh-agent-forwarding)
+ + [Chained SSH agent forwarding](#chained-ssh-agent-forwarding)
* [GitHub](#github)
* [OpenBSD](#openbsd-1)
* [Windows](#windows-1)
+ [WSL](#wsl)
- - [Use ssh-agent or use S.weasel-pageant](#use-ssh-agent-or-use-sweasel-pageant)
- - [Prerequisites](#prerequisites)
- - [WSL configuration](#wsl-configuration)
- - [Remote host configuration](#remote-host-configuration)
* [macOS](#macos-1)
- [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding)
* [Steps for older distributions](#steps-for-older-distributions)
- * [Chained GPG Agent Forwarding](#chained-gpg-agent-forwarding)
+ * [Chained GnuPG agent forwarding](#chained-gnupg-agent-forwarding)
- [Using Multiple Keys](#using-multiple-keys)
- [Adding an identity](#adding-an-identity)
* [Updating YubiKey](#updating-yubikey)
@@ -310,10 +305,10 @@ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yub
Copy it to a USB drive:
```console
-sudo cp -v result/iso/yubikeyLive.iso /dev/sdb; sync
+sudo cp -v result/iso/yubikeyLive.iso /dev/sdb ; sync
```
-With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.
+With this image, you won't need to create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#hardened-configuration), as it was done when creating the image.
## OpenBSD
@@ -357,7 +352,7 @@ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
## OneRNG
-Configure [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software:
+Configure [rng-tools](https://wiki.archlinux.org/title/Rng-tools):
```console
sudo apt -y install at rng-tools python3-gnupg openssl
@@ -398,7 +393,7 @@ Create a temporary directory which will be cleared on [reboot](https://en.wikipe
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
```
-## Harden configuration
+## Hardened configuration
Import or create a hardened configuration for GnuPG:
@@ -787,7 +782,7 @@ Finish by saving the keys:
gpg> save
```
-## Add extra identities
+## Extra Identities
**Optional** To add additional email addresses or identities, use `adduid`
@@ -1166,7 +1161,7 @@ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
**Keyserver**
-**Optional** Upload the public key to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
+**Optional** Upload the public key to a public keyserver:
```console
gpg --send-key $KEYID
@@ -1182,6 +1177,23 @@ Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
```
+The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
+
+```console
+URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
+```
+
+Edit YubiKey with `gpg --edit-card` and the Admin PIN:
+
+```console
+gpg/card> admin
+
+gpg/card> url
+URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
+
+gpg/card> quit
+```
+
# Configure YubiKey
Insert YubiKey and use GnuPG to configure it:
@@ -1452,81 +1464,6 @@ GnuPG will scan the first YubiKey for keys and recreate the stubs to point to th
To use the second YubiKey, repeat the command.
-# Multiple Hosts
-
-Export the public key and trust setting from the current host:
-
-```console
-gpg --armor --export $KEYID > gpg-public-key-$KEYID.asc
-
-gpg --export-ownertrust > gpg-owner-trust.txt
-```
-
-Move both files to the second host, then define the key ID:
-
-```console
-export KEYID=0xF0F2CFEB04341FB5
-```
-
-Import the public key:
-
-```console
-gpg --import gpg-public-key-$KEYID.asc
-```
-
-Import the trust setting:
-
-```console
-gpg --import-ownertrust < gpg-owner-trust.txt
-```
-
-Insert YubiKey and import key stubs:
-
-```console
-gpg --card-status
-```
-
-Or download from a public key server:
-
-```console
-gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv $KEYID
-```
-
-Configure trust:
-
-```console
-$ gpg --edit-key $KEYID
-gpg> trust
-Your decision? 5
-Do you really want to set this key to ultimate trust? (y/N) y
-gpg> quit
-```
-
-The public key URL can also be added to YubiKey (based on [Shaw 2003](https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00)):
-
-```console
-[[ ! "$KEYID" =~ ^"0x" ]] && KEYID="0x${KEYID}"
-URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=${KEYID}"
-```
-
-Edit YubiKey with `gpg --edit-card` and the Admin PIN:
-
-```console
-gpg/card> admin
-
-gpg/card> url
-URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0xFF00000000000000
-
-gpg/card> quit
-```
-
-With the URL on YubiKey, retrieve the public key:
-
-```console
-gpg/card> fetch
-
-gpg/card> quit
-```
# Finish
@@ -1615,6 +1552,14 @@ Or download the public key from a keyserver:
gpg --recv $KEYID
```
+Or with the URL on YubiKey, retrieve the public key:
+
+```console
+gpg/card> fetch
+
+gpg/card> quit
+```
+
Edit the Certify key:
```console
@@ -2010,7 +1955,7 @@ ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000
## (Optional) Save public key for identity file configuration
-By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
+By default, SSH attempts to use all the identities available via the agent. It's often a good idea to manage exactly which keys SSH will use to connect to a server, for example to separate different roles or [to avoid being fingerprinted by untrusted ssh servers](https://words.filippo.io/ssh-whoami-filippo-io/). To do this you'll need to use the command line argument `-i [identity_file]` or the `IdentityFile` and `IdentitiesOnly` options in `.ssh/config`.
The argument provided to `IdentityFile` is traditionally the path to the _private_ key file (for example `IdentityFile ~/.ssh/id_rsa`). For YubiKey, `IdentityFile` must point to the _public_ key file, and `ssh` will select the appropriate private key from those available via ssh-agent. To prevent `ssh` from trying all keys in the agent, use `IdentitiesOnly yes` along with one or more `-i` or `IdentityFile` options for the target host.
@@ -2135,7 +2080,7 @@ After sourcing the shell rc file, `ssh-add -l` will return the correct public ke
**Note** In this process no gpg-agent in the remote is involved, hence `gpg-agent.conf` in the remote is of no use. Also pinentry is invoked locally.
-### Chained SSH Agent Forwarding
+### Chained SSH agent forwarding
If you use `ssh-agent` provided by OpenSSH and want to forward it into a *third* box, you can just `ssh -A third` on the *remote*.
@@ -2265,18 +2210,12 @@ The goal is to configure SSH client inside WSL work together with the Windows ag
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
-#### Use ssh-agent or use S.weasel-pageant
-
-One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information.
-
-#### Prerequisites
+One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires:
* Ubuntu 16.04 or newer for WSL
* Kleopatra
* [Windows configuration](#windows)
-#### WSL configuration
-
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to the shell rc file. Use a named socket here so it can be used in the `RemoteForward` directive of `~/.ssh/config`. Source it with `source ~/.bashrc`.
@@ -2291,8 +2230,6 @@ RemoteForward <remote SSH socket path> /tmp/S.weasel-pageant
**Note** The remote SSH socket path can be found with `gpgconf --list-dirs agent-ssh-socket`
-#### Remote host configuration
-
Add the following to the shell rc file:
```console
@@ -2436,7 +2373,7 @@ extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting.
-## Chained GPG Agent Forwarding
+## Chained GnuPG agent forwarding
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines: