From afc8580b0d62d78d61d45931b749625a4f91cc87 Mon Sep 17 00:00:00 2001 From: Brice Gagnage <40995873+BriceGagnageRenault@users.noreply.github.com> Date: Mon, 3 Dec 2018 13:54:40 +0100 Subject: Update README.md test --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7f3880a..f8e9c6a 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d - [GitHub](#github) - [OpenBSD](#openbsd) - [Windows](#windows) + - [Windows Subsystem for Linux (WSL)](#wsl) - [Troubleshooting](#troubleshooting) - [Notes](#notes) - [Similar work](#similar-work) @@ -1406,6 +1407,9 @@ Create a shortcut that points to `gpg-connect-agent /bye` and place it in your s Now you can use PuTTY for public key SSH authentication. When the server asks for public key verification, PuTTY will forward the request to GPG, which will prompt you for your PIN and authorize the login using your YubiKey. +## WSL +plouf + # Troubleshooting - If you don't understand some option - read `man gpg`. -- cgit v1.2.3 From 432518b23c539d1f911c582892c22d8b63090e45 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Mon, 3 Dec 2018 14:29:51 +0100 Subject: added img --- media/schema_gpg.png | Bin 0 -> 66518 bytes media/schema_gpg.pptx | Bin 0 -> 95622 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100755 media/schema_gpg.png create mode 100755 media/schema_gpg.pptx diff --git a/media/schema_gpg.png b/media/schema_gpg.png new file mode 100755 index 0000000..96b486f Binary files /dev/null and b/media/schema_gpg.png differ diff --git a/media/schema_gpg.pptx b/media/schema_gpg.pptx new file mode 100755 index 0000000..4c45f03 Binary files /dev/null and b/media/schema_gpg.pptx differ -- cgit v1.2.3 From 2b5891294a4efd2c8c85101a5ffd0eecd2f7bbd3 Mon Sep 17 00:00:00 2001 From: Brice Gagnage <40995873+BriceGagnageRenault@users.noreply.github.com> Date: Mon, 3 Dec 2018 15:00:04 +0100 Subject: Update README.md continuing --- README.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f8e9c6a..28acf93 100644 --- a/README.md +++ b/README.md @@ -1408,7 +1408,23 @@ Create a shortcut that points to `gpg-connect-agent /bye` and place it in your s Now you can use PuTTY for public key SSH authentication. When the server asks for public key verification, PuTTY will forward the request to GPG, which will prompt you for your PIN and authorize the login using your YubiKey. ## WSL -plouf +The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve: +![WSL agent architecture](media/schema_gpg.png) +**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the weasel-agent site for further information. + +### Prerequisites +- Install Ubuntu >16.04 for WSL +- Install Kleopatra + +### Windows configuration +- In %APPDATA%/gnupg/scdaemon.conf, add `reader-port Yubico YubiKey OTP+FIDO+CCID 0` +- In %APPDATA%/gnupg/gpg-agent.conf, add +``` +enable-putty-support +enable-ssh-support +``` +- Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. +- Go back to the main screen, go to Import..., select your public key file. # Troubleshooting -- cgit v1.2.3 From f39b92ae454376b3d773b14c5cd82dde151fb04b Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Mon, 3 Dec 2018 17:17:09 +0100 Subject: test sign --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 28acf93..89e62b2 100644 --- a/README.md +++ b/README.md @@ -1425,6 +1425,7 @@ enable-ssh-support ``` - Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. - Go back to the main screen, go to Import..., select your public key file. +- Open a command console # Troubleshooting -- cgit v1.2.3 From 92467bc12676e42c7de58faa7d9c97708c6bc805 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Mon, 3 Dec 2018 17:19:45 +0100 Subject: test --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 89e62b2..1fc67b4 100644 --- a/README.md +++ b/README.md @@ -1425,7 +1425,7 @@ enable-ssh-support ``` - Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. - Go back to the main screen, go to Import..., select your public key file. -- Open a command console +- Open a command console. # Troubleshooting -- cgit v1.2.3 From 1c15d89a542412964208b995b667820bcf692700 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Mon, 3 Dec 2018 17:28:34 +0100 Subject: maow --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1fc67b4..89e62b2 100644 --- a/README.md +++ b/README.md @@ -1425,7 +1425,7 @@ enable-ssh-support ``` - Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. - Go back to the main screen, go to Import..., select your public key file. -- Open a command console. +- Open a command console # Troubleshooting -- cgit v1.2.3 From 95624e2c489969dea2c29f64bd739436c0822db1 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Tue, 4 Dec 2018 11:39:25 +0100 Subject: first draft --- README.md | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 89e62b2..389878d 100644 --- a/README.md +++ b/README.md @@ -1415,17 +1415,48 @@ The goal here is to make the SSH client inside WSL work together with the Window ### Prerequisites - Install Ubuntu >16.04 for WSL - Install Kleopatra +- [Windows configuration](#windows) ### Windows configuration - In %APPDATA%/gnupg/scdaemon.conf, add `reader-port Yubico YubiKey OTP+FIDO+CCID 0` -- In %APPDATA%/gnupg/gpg-agent.conf, add -``` -enable-putty-support -enable-ssh-support -``` +- In %APPDATA%/gnupg/gpg-agent.conf, add `enable-ssh-support` - Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. - Go back to the main screen, go to Import..., select your public key file. - Open a command console +- Type `gpg --card-status`, you should see your Yubikey's details. +- Follow this part: [Trust master key](#trust-master-key) + +### WSL configuration +- Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant) +- Add `eval $(/mnt/c//weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent +- Source it `. ~/.bashrc` +- You should be able to see your SSH key with `ssh-add -l` +- Edit your `~/.ssh/config` file +- For each host you want to use agent forwarding, add +``` +ForwardAgent yes +RemoteForward /tmp/S.weasel-pageant +``` +**Note**: the remote ssh socket path can be found by executing `gpgconf --list-dirs agent-ssh-socket` on the host. + +### Remote host configuration +- Add `export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)` to your .bashrc or equivalent +- Edit your /etc/ssh/sshd_config and add: +``` +AllowAgentForwarding yes +StreamLocalBindUnlink yes +``` + +### Final test +- Unplug your Yubikey, reboot. +- Log back on Windows, open a WSL console and enter `ssh-add -l`, you should see nothing. +- Plug your Yubikey, enter the same command, you should see your ssh key. +- Log in to your remote host, you should have the pinentry popup/window asking for your Yubikey pin. +- On your remote host, type `ssh-add -l`. If should see your ssh key, that means your forwarding works ! + +**Note**: you can chain the agent forwarding through multiple hosts, you just have to follow the same [protocol](#remote-host-configuration) to configure each host. + + # Troubleshooting -- cgit v1.2.3 From ffd7b674c8223a21194521ceecd4464172892650 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Tue, 4 Dec 2018 13:16:18 +0100 Subject: updated draft --- README.md | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 389878d..1776f4e 100644 --- a/README.md +++ b/README.md @@ -1410,7 +1410,7 @@ Now you can use PuTTY for public key SSH authentication. When the server asks fo ## WSL The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve: ![WSL agent architecture](media/schema_gpg.png) -**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the weasel-agent site for further information. +**Note**: this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information. ### Prerequisites - Install Ubuntu >16.04 for WSL @@ -1418,21 +1418,24 @@ The goal here is to make the SSH client inside WSL work together with the Window - [Windows configuration](#windows) ### Windows configuration -- In %APPDATA%/gnupg/scdaemon.conf, add `reader-port Yubico YubiKey OTP+FIDO+CCID 0` +Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your Yubikey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, open the Device Manager, select "View->Show hidden devices". Go to the Software Devices list, you should see something like `Yubico YubiKey OTP+FIDO+CCID 0`. The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information. + +- Create or edit %APPDATA%/gnupg/scdaemon.conf, add `reader-port `. - In %APPDATA%/gnupg/gpg-agent.conf, add `enable-ssh-support` -- Open Kleopatra, go to Smartcard, plug your Yubikey, press F5. You should see your key's information. -- Go back to the main screen, go to Import..., select your public key file. +- Open Kleopatra, go to "Tools->Smartcard", plug your Yubikey, press F5. You should see your key's information. +- Go back to the main screen, go to "Import...", select your [public key file](#export-public-key). - Open a command console - Type `gpg --card-status`, you should see your Yubikey's details. - Follow this part: [Trust master key](#trust-master-key) ### WSL configuration -- Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant) -- Add `eval $(/mnt/c//weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent -- Source it `. ~/.bashrc` -- You should be able to see your SSH key with `ssh-add -l` -- Edit your `~/.ssh/config` file -- For each host you want to use agent forwarding, add +- Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant). +- Add `eval $(/mnt/c//weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent. +**Note**: we use a named socket here so we can use it in the RemoteForward directive of the .ssh/config file. +- Source it `. ~/.bashrc`. +- You should be able to see your SSH key with `ssh-add -l`. +- Edit your `~/.ssh/config` file. +- For each host you want to use agent forwarding, add: ``` ForwardAgent yes RemoteForward /tmp/S.weasel-pageant @@ -1440,12 +1443,13 @@ RemoteForward /tmp/S.weasel-pageant **Note**: the remote ssh socket path can be found by executing `gpgconf --list-dirs agent-ssh-socket` on the host. ### Remote host configuration -- Add `export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)` to your .bashrc or equivalent +- Add `export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)` to your .bashrc or equivalent. - Edit your /etc/ssh/sshd_config and add: ``` AllowAgentForwarding yes StreamLocalBindUnlink yes ``` +- Reload the ssh daemon (e.g. `sudo service sshd reload`). ### Final test - Unplug your Yubikey, reboot. @@ -1506,3 +1510,4 @@ StreamLocalBindUnlink yes * https://alexcabal.com/creating-the-perfect-gpg-keypair/ * https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/ * https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos +* https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx -- cgit v1.2.3 From ee307676122c8417ae4e6344dfc93d74d66aa7a1 Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Tue, 4 Dec 2018 15:03:00 +0100 Subject: final draft --- README.md | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 1776f4e..03ebc13 100644 --- a/README.md +++ b/README.md @@ -1385,25 +1385,29 @@ Install `pcsc-tools` and enable with `doas rcctl enable pcscd`, then reboot in o ## Windows -Export the SSH key from GPG: +Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your Yubikey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your Yubikey, open the Device Manager, select "View->Show hidden devices". Go to the Software Devices list, you should see something like `Yubico YubiKey OTP+FIDO+CCID 0`. The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information. +- Create or edit %APPDATA%/gnupg/scdaemon.conf, add `reader-port `. +- In %APPDATA%/gnupg/gpg-agent.conf, add: ``` -$ gpg --export-ssh-key $USERID +enable-ssh-support +enable-putty-support ``` -Copy this key to a file for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into. - -To authenticate SSH sessions via YubiKey, enable Gpg4Win's PuTTY integration. Create a file named `gpg-agent.conf` and place it in the directory `C:\%APPDATA%\gnupg`. -The file should contain the line `enable-putty-support`. - -Then, open a terminal and run the following commands: - +- Open a command console, restart the agent: ``` > gpg-connect-agent killagent /bye > gpg-connect-agent /bye ``` +- Enter `> gpg --card-status`, now you should see your Yubikey's details. +- Import your [public key](#export-public-key): `> gpg --import ` +- Trust it: [Trust master key](#trust-master-key) +- Retrieve your public key's id: `gpg --list-public-keys` +- Export the SSH key from GPG: `> gpg --export-ssh-key ` + +Copy this key to a file for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into. -Create a shortcut that points to `gpg-connect-agent /bye` and place it in your startup folder to make sure the agent starts after a system shutdown. +- Create a shortcut that points to `gpg-connect-agent /bye` and place it in your startup folder `shell:startup` to make sure the agent starts after a system shutdown. Modify the shortcut properties so it starts in a "Minimized" window, to avoid unnecessary noise at startup. Now you can use PuTTY for public key SSH authentication. When the server asks for public key verification, PuTTY will forward the request to GPG, which will prompt you for your PIN and authorize the login using your YubiKey. @@ -1417,17 +1421,6 @@ The goal here is to make the SSH client inside WSL work together with the Window - Install Kleopatra - [Windows configuration](#windows) -### Windows configuration -Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your Yubikey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, open the Device Manager, select "View->Show hidden devices". Go to the Software Devices list, you should see something like `Yubico YubiKey OTP+FIDO+CCID 0`. The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information. - -- Create or edit %APPDATA%/gnupg/scdaemon.conf, add `reader-port `. -- In %APPDATA%/gnupg/gpg-agent.conf, add `enable-ssh-support` -- Open Kleopatra, go to "Tools->Smartcard", plug your Yubikey, press F5. You should see your key's information. -- Go back to the main screen, go to "Import...", select your [public key file](#export-public-key). -- Open a command console -- Type `gpg --card-status`, you should see your Yubikey's details. -- Follow this part: [Trust master key](#trust-master-key) - ### WSL configuration - Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant). - Add `eval $(/mnt/c//weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent. @@ -1443,7 +1436,11 @@ RemoteForward /tmp/S.weasel-pageant **Note**: the remote ssh socket path can be found by executing `gpgconf --list-dirs agent-ssh-socket` on the host. ### Remote host configuration -- Add `export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)` to your .bashrc or equivalent. +- Add to your .bashrc or equivalent: +``` +export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) +export GPG_TTY=$(tty) +``` - Edit your /etc/ssh/sshd_config and add: ``` AllowAgentForwarding yes -- cgit v1.2.3 From 86e03e6d09e7406be71f982571f7795ccc76f96b Mon Sep 17 00:00:00 2001 From: Brice Gagnage Date: Tue, 4 Dec 2018 15:11:13 +0100 Subject: final draft --- README.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 03ebc13..1b3c310 100644 --- a/README.md +++ b/README.md @@ -1402,7 +1402,7 @@ enable-putty-support - Enter `> gpg --card-status`, now you should see your Yubikey's details. - Import your [public key](#export-public-key): `> gpg --import ` - Trust it: [Trust master key](#trust-master-key) -- Retrieve your public key's id: `gpg --list-public-keys` +- Retrieve your public key's id: `> gpg --list-public-keys` - Export the SSH key from GPG: `> gpg --export-ssh-key ` Copy this key to a file for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into. @@ -1425,15 +1425,15 @@ The goal here is to make the SSH client inside WSL work together with the Window - Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant). - Add `eval $(/mnt/c//weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent. **Note**: we use a named socket here so we can use it in the RemoteForward directive of the .ssh/config file. -- Source it `. ~/.bashrc`. -- You should be able to see your SSH key with `ssh-add -l`. +- Source it `$ . ~/.bashrc`. +- You should be able to see your SSH key with `$ ssh-add -l`. - Edit your `~/.ssh/config` file. - For each host you want to use agent forwarding, add: ``` ForwardAgent yes RemoteForward /tmp/S.weasel-pageant ``` -**Note**: the remote ssh socket path can be found by executing `gpgconf --list-dirs agent-ssh-socket` on the host. +**Note**: the remote ssh socket path can be found by executing `$ gpgconf --list-dirs agent-ssh-socket` on the host. ### Remote host configuration - Add to your .bashrc or equivalent: @@ -1446,19 +1446,17 @@ export GPG_TTY=$(tty) AllowAgentForwarding yes StreamLocalBindUnlink yes ``` -- Reload the ssh daemon (e.g. `sudo service sshd reload`). +- Reload the ssh daemon (e.g. `$ sudo service sshd reload`). ### Final test -- Unplug your Yubikey, reboot. -- Log back on Windows, open a WSL console and enter `ssh-add -l`, you should see nothing. +- Unplug your Yubikey, disconnect or reboot. +- Log back on Windows, open a WSL console and enter `$ ssh-add -l`, you should see nothing. - Plug your Yubikey, enter the same command, you should see your ssh key. - Log in to your remote host, you should have the pinentry popup/window asking for your Yubikey pin. -- On your remote host, type `ssh-add -l`. If should see your ssh key, that means your forwarding works ! +- On your remote host, type `$ ssh-add -l`. If you see your ssh key, that means your forwarding works ! **Note**: you can chain the agent forwarding through multiple hosts, you just have to follow the same [protocol](#remote-host-configuration) to configure each host. - - # Troubleshooting - If you don't understand some option - read `man gpg`. -- cgit v1.2.3