Use a smart card like yubikey, then forward your gpg-agent sockets over the SSH connection. Remote GPG will contact the gpg-agent on your laptop over the forwarded socket and delegate all crypto there, the private key never leaves the hardware token. Jun 01, 2018 Generate a GPG key-pair, and convert it to an SSH key for authentication with your Linode. Apr 18, 2014 Using GnuPG for SSH authentication “Using GnuPG for SSH authentication” may refer to two distinct things: making the GnuPG agent (which is normally used to cache the passphrase of your OpenPGP key) to also act as a SSH agent, to cache the passphrase of your SSH key; using a key pair of your OpenPGP keyring as a SSH key pair.
Updated by Alex FornutoContributed byHuw Evans
Try this guide out by signing up for a Linode account with a $20 credit.
Contribute on GitHub
Report an Issue |View File |Edit File
You may be familiar with public key authentication for Secure Shell (SSH) on your Linode. But you may not have known that you can also use a GNU Privacy Guard (GPG) keypair to authenticate with SSH.
The chief benefit of this method is that instead of having separate keys for GPG messaging and SSH authentication, they can both belong to the same GPG keyring. This configuration really shines, however, when used with a GPG smartcard or YubiKey, because the card/dongle can store the underlying private key and only authenticate SSH sessions when it’s plugged in. WIRED reported that engineers at Facebook use this method for authenticating with local servers, so why shouldn’t you?
This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.
Before You BeginNote
This guide will only work on UNIX-based (Linux & OS X) machines! The process is very complicated on Windows but may be possible with some research.
This guide assumes:
You don’t necessarily need to be familiar with SSH public key authentication or GPG encryption, but an understanding of their operation will help you out if you run into problems.
Generate a GPG KeypairGpg Generate Key Over Ssh Free
This section explains how to generate a new GPG keypair. If you already have one, you may skip these steps, as the next section will include instructions for how to create a subkey to use specifically for authentication. You will just need the 8-digit ID for your existing key to do so.
Caution
As an additional security measure, this process may be undertaken on an offline (non network-connected) machine or single-use Virtual Machine (VM). After installing the pre-requisite packages and only the pre-requisite packages, disconnect it from the network and continue with the steps below.
All of these steps should be performed on a local machine, not your Linode.
Once this is done, your output should resemble the following:
This process has created a master GPG key and a subkey for encrypting messages and files. To authenticate with SSH, we need to generate a second subkey for authentication.
Generating the Authentication Subkey
Your terminal should now look like this:
Secure Your GPG KeyCaution
If you fail to back up or otherwise secure your key, any hardware failure will lead to you being unable to access your Linode with this key. If you lock out password access through SSH, you’ll need to use Lish to regain access.
You should always have a backup of your private key in case something goes wrong and you end up locked out of everything that requires it. This private key, along with the instructions in this guide, will be enough to get your setup working again if you need to start afresh on a new computer.
If something bad happens and you lose your keys, you can re-import them by overwriting the
~/.gnupg directory with your copy, and using:
Be sure to replace
key-file with the location of each of your files.
Export Your Public Key
If you’re working on a VM or offline machine, you’ll also need to export your public key to be reimported later:
Be sure to replace
key-id with your own key ID.
You can reimport it with the ever-handy
gpg2 --import key-file command.
Move Your Key to a Smartcard or YubiKey (Optional)Gpg Generate Key Over Ssh KeyNote
If you’re using a brand new YubiKey, you’ll need to enable OpenPGP Card / CCID Mode first. This can be done through the YubiKey Personalization Tool, or by running
ykpersonalise -m82 . ykpersonalise can be installed through your package manager.
Secure Your Card
It is assumed that you have already configured your card/YubiKey’s (herein referred to as ‘GPG device’) owner information. It is highly recommended that you secure your card before you start this section.
Note
Some of these commands may ask for a PIN or Admin PIN. The default PIN is usually
123456 , and the default Admin PIN is usually 12345678 . If these don’t work, contact the manufacturer or review online documentation.
For reference, your window should resemble the following. This example is abbreviated:
Ssh Generate Private KeyTransfer Your SubkeyGenerate Ssh Key Windows
After all this, your output should resemble the following:
Congratulations! You’ve successfully transferred your authentication subkey to your device.
Caution
If you weren’t using a VM or offline machine, back up your local copies of the private keys, delete them, and ensure that the rest of the keys are still on the card.
Serve Your GPG key Instead of an SSH key
In this section, we’ll configure your local machine so the connection between GPG and SSH works properly.
Return to your local machine, import all of the appropriate GPG keys and insert the appropriate GPG device. Install GPG if you don’t already have it on your local computer (e.g. if you performed all the above steps on a VM).
Add the New Key to Your Linode
The steps from the previous sections will take your GPG keys and pipe them through SSH so they can be used for authentication. The result of this process is that you’ve created a new RSA public key for use with SSH authentication.
You’re done! Disconnect, and all new logins should now use your GPG key instead of a passphrase. This SSH key can also be used with GitHub, Bitbucket, other SSH-based Version Control Systems, or anywhere else that accepts SSH keys.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
Join our Community
Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus
Gpg Generate Key Over Ssh Software
This guide is published under a CC BY-ND 4.0 license.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |