SSH keys - Githubissues

cruegge / pam-gnupg

Unlock GnuPG keys on login

GNU General Public License v3.0

269 stars 12 forks source link

SSH keys #22

Closed zelleb closed 4 years ago

zelleb commented 4 years ago

I'm a bit lost here. Just set everything up and gpg unlocking works! But I can't add ssh keys by ssh-add.

So I put export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) in my .zprofile, log out and back in. Then i try ssh-add ~/.ssh/$MYKEY and get Could not add identity ".ssh/$MYKEY": agent refused operation

I've also tried putting SSH_AUTH_SOCK=/run/user/1000/gnupg/d.sfedixjsu86azud31phzsnqi/S.gpg-agent.ssh (returned by gpgconf --list-dirs agent-ssh-socket) in my .pam_environment, but get the same error.

Running gpg-connect-agent 'keyinfo --ssh-list' /bye just returns "OK"

Am i missing something obvious?

cruegge commented 4 years ago

Can you check that the socket file exists, and that gpg-agent is actually listening on it (e.g. fuser $SSH_AUTH_SOCK should show listening PIDs)? Maybe you need to add enable-ssh-support to your ~/.gnupg/gpg-agent.conf. I did not write that in the README because my config doesn't contain it, and I thought it was enabled by default.

zelleb commented 4 years ago

So uh, I took a slightly different approach now... I basically added a gpg subkey for ssh authentication and added it's keygrip to ~/.config/gnupg/sshcontrol and ~/.config/pam-gnupg. And, as you suggested, I added enable-ssh-support and additionaly max-cache-ttl-ssh 86400 to ~/.config/gnupg/gpg-agent.conf.

And I moved export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) back to .zprofile.

Before that I tried to debug the previous behavior: fuser $SSH_AUTH_SOCK returned the right PID of gpg-agent. But even with enable-ssh-support and max-cache-ttl-ssh 86400 in ~/.config/gnupg/gpg-agent.conf ssh-add wouldn't let me add my ssh key...

I don't know if this is just "wrong" to do, but it werks™ now.

treeshateorcs commented 4 years ago

hey @zelleb please tell me how to add a gpg subkey for ssh. i can't find how to do that for an existing ssh key

ssh auth doesn't work on my machine either

zelleb commented 4 years ago

I did it like this: https://opensource.com/article/19/4/gpg-subkeys-ssh

I have no idea if it's possible to add an existing key tho. I created a new one and added it to my servers.