SSH SmartCard authentication with MacGPG
Hi there,
I'm running the latest version of MacGPG on OS X 10.9 (thanks for
making this available so soon!!!)
I just purchased an OpenPGP SmartCard and moved all my subkeys to
it, which appears to be working just fine for signing / encrypting
even with the Mail plugin.
One other thing I'd now like to do is authenticate via SSH using
the SmartCard, so I added this to ~/.gnupg/gpg-agent.conf:
enable-ssh-support
I restarted the agent and even my Mac, but it seems like the key
on the SmartCard isn't recognized by SSH. When running ssh-add -l I
get this:
The agent has no identities.
I think it would be possible to add this using a PKCS#11
provider file, using ssh-add -s. However, I can't currently do this
because I don't know whether such a PKCS#11 provider file exists in
MacGPG and if this would even be the proper way for handling s
issue.
Please, could someone advise me on how / if using a SmartCard for
SSH authentication is possible on Mac OS?
Many thanks, keep up the amazing work!
Robin
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by ltning-gpgtools on 27 Oct, 2013 04:53 PM
Hey!
I've been doing this with both regular OpenPGP cards and with the Yubikey NEO (which has an openpgp "card" integrated). I've done it both using the GPGTools-bundled gnupg and with the one from (home)brew (gpg2).
Some hints:
Add
--write-env-file ~/.gpg-agent-info
to the startup parameters of gpg-agent, or add it to the gpg-agent.conf file. That way you just need to source that file (. ~/.gpg-agent-info) and export the needed variables (export SSH_AUTH_SOCK) for ssh to work.
Then list the keys on your card, and use the ID of the authentication key with
gpgkey2ssh <key ID>
That's the public key you want to stick into the authorized_keys file on the remote server.
Note that if you remove and re-insert your card/reader, scdaemon (part of gnupg) can be a bit fidgety, so just killall -9 scdaemon and re-insert the card if needed.
If you choose to use home-brew's gnupg2 instead of the gnupg that ships with gpgtools, make sure you remove the latter, brew install gnupg2, and then add this to gpg-agent.conf:
pinentry-program /Library/Frameworks/Libmacgpg.framework/Versions/B/Resources/pinentry-mac.app/Contents/MacOS/pinentry-mac
I'll leave it as an exercise for the reader how to get gpg-agent to start automatically on login (personally I rely on simply opening a terminal at some point, as that will launch gpg-agent for me -- see my .profile below).
PATH="/usr/local/bin:/usr/local/sbin:$PATH"
gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info"
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
GPG_TTY=$(tty)
export GPG_TTY
. ~/.bashrc
2 Posted by robin on 28 Oct, 2013 06:53 PM
Hi there,
thanks a lot for your instructions!
I’ve tried, however the --write-env-file ~/.gpg-agent-info option has no effect on my system. I’ve tried killing and restarting the agent, however no file is created in my home directory… It almost seems like the option is being ignored, because I also tried calling gpg-agent with that option but still no luck, also no error or the like was given. I added the parameter (without the —) to my ~/.gnupg/gpg-agent.conf and then restarted my Mac to be 100% sure, but nothing happened :-(
Any other ideas? I’m not sure what the Homebrew GPG you’re referring to is unfortunately, and am currently using the version of GnuPG provided with MacGPG.
Thanks!
Robin
3 Posted by ltning-gpgtools on 28 Oct, 2013 07:19 PM
Hey,
try without the ~ - use ${HOME} or simply full path to the file you want to create.
/Eirik
4 Posted by robin on 28 Oct, 2013 07:54 PM
Hey Eirik,
oh wow, that was a complete no brainer on my end - sorry about that!!! Putting in the full path worked perfectly… I then followed your remaining instructions, and now this works beautifully :-)
Many thanks!!!
Robin
Support Staff 5 Posted by Steve on 28 Oct, 2013 09:27 PM
Open Support platform as it should be :)
Awesome community! Thanks Itning for your help.
I'm closing this discussion. Robin, if you need further assistance or have questions you can re-open this discussion here or open a new one any time.
Best, steve
Steve closed this discussion on 28 Oct, 2013 09:27 PM.