Questions about gpg smard card functionalities and yubikey configured with agent forwarding

[reyman]

Hi Drdhuh,

Thanks for you fantastic works, it really help me to understand and configure my YUBIKEY to work as i want.

I have some difficulties with this part : https://github.com/drduh/YubiKey-Guide#remote-machines-agent-forwarding

SSH connection using gpg-agent and key created and stored into yubikey (as smartcard) works, so typing ssh-add -l on remote after connection works and return 4096 SHA256:xxx cardno:xxx (RSA) . Thanks for that.

BUT anything linked to detection of smartcard, like gpg --smart-status, gpg --card-edit don’t work remotly, this is strange or is it a normal behavior ?

So, a second question, linked to this first, do you think it could be possible to forward a challenge/response configured on slot 2 by ssh using agent forwarding ?

Connecting using :

ssh -A -R /run/user/0/gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra xxx

or

ssh -A xxx

My ~/.ssh/config for xxx :

Host xxx
  Hostname xxx
  User root
  ForwardAgent yes
  IdentityFile ~/.ssh/id_rsa_yubikey.pub

I'm using :

locally : gpg (GnuPG) 2.2.12 remotly : gpg (GnuPG) 2.2.20

LOCAL

local agent socket

socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/reyman/.gnupg

gpg-agent.conf

enable-ssh-support
default-cache-ttl 300
max-cache-ttl 999999
debug-level guru
debug-all
log-file /home/reyman/.gnupg/gpg-agent.log

REMOTE

agent sockets :

socketdir:/run/user/0/gnupg
dirmngr-socket:/run/user/0/gnupg/S.dirmngr
agent-ssh-socket:/run/user/0/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/0/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/0/gnupg/S.gpg-agent.browser
agent-socket:/run/user/0/gnupg/S.gpg-agent
homedir:/root/.gnupg

gpg.conf

use-agent

Remote Nix config

        services.openssh.enable = true;
        services.openssh.permitRootLogin = "prohibit-password";
        services.udev.packages = [ pkgs.yubikey-personalization ];
        programs.ssh.startAgent = false;
        programs.gnupg.agent.pinentryFlavor = "curses";
        programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

        services.openssh.extraConfig = ''StreamLocalBindUnlink yes'';

I also post this problem on nix forum : https://discourse.nixos.org/t/yubikey-smartcard-challenge-mode-usable-on-remote-ssh/8936/11

Thanks !

[Nepochal]

Hi. That is a normal behavior because the socket S.gpg-agent.extra is restricted to increase security. If you want to use all commands, try using the local S.gpg-agent socket.

Kind regards.

[reyman]

@Nepochal Hi!

Ok, hum, i'm not sure to correctly config this thing.

I need to remove all the "agent-extra-socket" in local and remote conf, or i need to reroute agent-extra-socket on /run/user/1000/gnupg/S.gpg-agent ?

Rest regards.

[Nepochal]

Try using ssh -A -R /run/user/0/gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent xxx to connect to your server. Your local S.gpg-agent socket is capable of all commands. Nevertheless, you should be aware that using the S.gpg-agent socket is less safe, because the commands are not restricted there.

[drduh]

I don't use nor generally recommend agent forwarding, so please send a PR yourself if there's useful information to add to the guide.